I hope this is the right place for me to ask my question here.
We am using Windows 2003 Web ed. with IIS 6.0. We have a lot of websites hosted on our servers, and some of them may be using CDOSYS in their scripts to handle mails. We are not the website admins or the programmers, only hosting the sites.
Recently, we recieved report that our server has been used to spam, and the mail headers show this:
X-Mailer: Microsoft CDO for Windows 2000
with our server's IP as the sender. My guess is that that shows that it was sent using CDOSYS scripts, am I right?
There are thousands (if not ten of thousands) of files in the server, so looking it up manually one by one isn't a very promising way of tracking down the spammer.
Is there anyway to track down which scripts (if it's done by script) that is sending the spam? I've tried to look at IIS's logs, Event Viewers, do search on web logs, but found nothing at all. IIS's SMTP logs only shows that there are some SMTP activity to send out e-mails by the spammer, but it doesn't lead to how it was done, or which scripts it was using.
Also, is there any logs or configuration settings specifically for CDOSYS? Like, so I can block certain headers/body/e-mail address in from/to of the mail?
Any helps/hints on how I can track the spammer would be greatly appreciated. Thank you in advance!
This account was created one day before the spammage headache started. I checked, it has default.asp which only has CDOSYS codes. Looking at the website's logs, it's all are POST from different IP, that's all are the activities of the site. However, I cannot prove that this is the person who does the spam, other than my suspision based on what I found.
Is there a way to make CDO adds extra header that may show certain info such as the script's owner/user, etc?