Everyone should be aware of these exploits in osCommerce and osCMax shopping cart software.

It allows sending of spam without logging in, and possibly uploading of files. The "sender" becomes YOU, the merchant, which is a trusted source by customers.

You need to fix this immediately on any servers you have. It's a easy fix.

http://www.oscmax.com/blog/michael_s...x_204_released
http://www.oscmax.com/blog/michael_s...upload_exploit

I also disabled "admin/mail.php" for good measure since that's what they actually use to send spam. Search your apache logs.

LFD (part of CSF firewall) will report the excessive e-mails, but only AFTER the SPAM is sent to all your customers and possibly others.