We have an Spammer sending email now from our server.
How can we know what user is it?

I tryied with grep -i globalleads@0-0.net exim_mainlog where "globalleads@0-0.net" is header address (that we don't host) and only show me 2001-09-26 00:18:42 15m69h-0001WS-00 => globalleads@0-0.net R=lookuphost T=remote_smtp H=mail.0-0.net [xxx.xxx.xxx.xxx]
Also tried with a ps aux to see if they are sending out throug a formmail but no :(
Any help?

Are you configured as an open relay? If so, first fix that.

If not, what is your criteria for sending mail? Are you allowing by IP, or POP-before-Send, or requiring that the From: or To: address be a domain you host?

Whichever of these methods you're using, you should be able to use that information to track which account is responsible. If you're using POP-before-send (and hopefully logging the IPs), try finding by source IP. If you're requiring that the From: or To: address be something you host, look for those two peices of information.

If none of this helps, let me know what method you are using to validate sent mail, and what mail software you're using (Sendmail, Qmail, something else)...

I use pop before send.
Also we use Sendmail

I tried following the IP that is sending those email
but the guy is using rotating proxys
so I don't know where is located.

Here I copy an SPAM complain header


Return-Path: <globalleads@0-0.net>
Received: from smtp1.xxxx.com ([216.55.128.12] verified)
by mail1.xxxxx.com (CommuniGate Pro SMTP 3.4.7)
with ESMTP id 8755029 for xxxxx@xxxx.com; Tue, 25 Sep 2001
21:03:58 -0700
Received: from dth.sexy-hosting.com ([66.78.56.44])
by smtp1.xxxx.com (8.11.6/8.11.6) with ESMTP id f8Q43v818834
for <xxxxx@x***********>; Tue, 25 Sep 2001 21:03:57 -0700 (PDT)
Received: from [213.56.84.65] (helo=QRJATYDI)
by dth.sexy-hosting.com with asmtp (Exim 3.20 #1)
id 15m5tH-0000Y6-00; Wed, 26 Sep 2001 00:01:43 -0400
From: "globalleads@0-0.net" <globalleads@0-0.net>
To:
Subject: eeeeeee
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Date: Wed, 26 Sep 2001 7:55:39 +0300
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-2"
Message-Id: <E15m5tH-0000Y6-00@dth.sexy-hosting.com>
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - dth.sexy-hosting.com
X-AntiAbuse: Original Domain - abac.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0]
X-AntiAbuse: Sender Address Domain - 0-0.net

Maybe you could see anything that I can't

Thanks in advance for your help

Jedito,

remove all FormMail related scripts in all the virtual sites or at least remove all the cgi scripts permissions, it looks like a remote exploit thru formmail or something or possibly an Apache exploit.

get your sysadmin/provider involved on this issue. Spam is a very serious issue as far as i'm concern.

We had a few cgi spammer a few weeks a go.. Not sure if its the same thing but they had files named 85634856.cgi the #'s changed each upload, the way it looked to work was this.

Some software would ftp the file up use it to send the mail as soon as it was done it deletes it making it very hard to find. They were using our system to send from going to an open relay making it look like it was coming from us.

This leaves no log in exim, sendmail or any where really but in the http logs.. This makes it very very hard to find..

Thats about all i know not sure if it help but this is how they were doing it to us to weeks not sure its new or what.. But it was not fun to find i know that..

No.. I was watching in the exim log when the bastard was spaming. and there are logs. But I couldn't identify which account is it
Also I made a ps aux at the spam momment an no one .cgi was running.

i think, they cannot be identified by their unix/system username b/c they are running the scripts in Apache.

Yes, but with ps aux I should see if any .cgi is running.
But no one was running at that moment :(

My point earlier was this: If they are *not* using a script, eg, they are bouncing through your mail relay via pop-before-send, then *you know who they are*. Or at least the information should be there.

When a user POPs (checks their mail), their current IP is logged. For a brief window they are allowed to send mail. Find out *which* account POPd with that IP that was sending the mail and you have your culprit.

Now, if your mail server doesn't log that much information, then you need to do some config changes. I don't use Sendmail so I don't know how you would go about this. I use Qmail with a custom-written set of shell scripts to implement POP-before-send, and I log who does what from where.

Finally I got it :)

After read the exim log I find

2001-09-25 23:25:01 15m5Jk-0007f8-00 <= globalleads@0-0.net H=(OIIBLXBP) [xxx.xxx.xxx.xxx] P=asmtp A=fixed_login:x3@freesp101.net S=3869
2001-09-25 23:25:05 15m5Jo-0007f9-00 <= globalleads@0-0.net H=(QTCBSFWN) [xxx.xxx.xxx.xxx] P=asmtp A=fixed_login:x3@freesp101.net S=3880


So.. the spammer is freesp101.net beware with them :)