Over the past 24 hours, I have recieved 75 messages or so back form aol users that I did not send. They are all referencing get rich scemes, but in the "from" line, it does not list any addresses for domains that i host. It does however, come back to an address that is mine.

Is there a way to determine if a formmail script I have or something similar is allowing someone to relay email through my server? I have a RaQ3 with POP Before SMTP installed, so I don't know any other way they could be using it.

Any suggestions would be greatly appreciated, as I have know idea what to do next other than remove any email forms I have on my sites.

Thanks in advance.

You need someone who's receive the spam to send you a complete copy of the original message, so you can view the complete header info on the message.

Normally, reading the message headers starting at the _bottom_, reading _upwards_, the 1st "Received" line should be the source of the sender of the spam... If this is one of your server's IP's, etc., then you probably need to check your log files to see what's-up with your online forum-to-email scripts, check the script, etc.

Almost everytime this happens to me (4 or 5 times in a few years) it's because a customer has installed a form2email script that either has no security, or they've disabled the security.

I recommend to our customers that they not only use a form with referrer checking, but that they *never* name it "formmail.cgi" or "formmail.pl" or other possible common names. There's various spiders that check for a /cgi-bin/formail.cgi -- and attempt to use it for spam it it's there. The name change reduces the efforts at least.