Hi all,

We have been having problem with some user sending spam out of our server. He is sending out Paypal phishing site spam. Also the mail queue gets into thousands every few days because fo this. We are unable to determine which user this is. This is becoming a serious problem, because the server gets listed with Spamcop way too often now.

I was wondering if there is a way to find out which user is responsible for this.

Thanks!


Below are headers of a sample email (I changed the domain names):
-----------------------------------------------------

1EoTZ1-0001Xj-39-H
nobody 99 99

1135031583 0
-ident nobody
-received_protocol local
-body_linecount 88
-auth_id nobody
-auth_sender nobody@host2.mydomain.com
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
someone_123@yahoo.com

152P Received: from nobody by host2.mydomain.com with local (Exim 4.52)
id 1EoTZ1-0001Xj-39
for someone_123@yahoo.com; Mon, 19 Dec 2005 17:33:03 -0500
024T To: someone_123@yahoo.com
048 Subject: Notification of Limited Account Access
060F From: PayPal Account Review Department
011R Reply-To:
018 MIME-Version: 1.0
024 Content-Type: text/html
032 Content-Transfer-Encoding: 8bit
057I Message-Id:
038 Date: Mon, 19 Dec 2005 17:33:03 -0500

you need to modify your exim to be avail track from where it is sending, you can do this going to WHM -> Tweak Settings -> Add X-Headers.

This should add a line in the header with the path for the script is sending..
in case that shows clean time to check the full msg for any clue.