hi my server has been suspended by sending spam and i dont know where on my server is originated the spam, i wrote a ticket copy that the people of the abuse detp, sends to me, telling me that my server is sending spam:

Dear Customer,

The Planet or its upstream providers has received a complaint related to a probable violation of the Acceptable Use Policy (AUP). We are forwarding a sample of the reports, requesting that you take appropriate measures to address the issue.

It is very important that you take action on this matter and respond to this ticket within the deadline specified. Failures to investigate, address the issue, and update this ticket with the root cause and actions taken to resolve the problem may result in service interruption. Consider this your only notification. If there is no productive reply, or if the abuse does not cease, Policy Enforcement will be forced to interrupt and/or terminate your service to protect the integrity of the network.

For general reference regarding The Planet's stance on abuse, refer to:
http://www.theplanet.com/about_us/legal.asp

Please direct any questions regarding this specific issue directly in this ticket, or open a new ticket if you are unable to update this ticket due to being logged in on a different user account.

The server in question has been identified as the origin of fraudulent spam messages. This issue needs to be addressed quickly to prevent blacklisting, for which fees may be assessed for removal.


Please investigate, resolve the issue, and update this ticket with your actions, referencing the attached reports for details. Failure to perform these actions within 24 hours will result in service interruption. Thank you in advance for your time, efforts, and cooperation.


Regards,
Nick
Abuse Department
The Planet


Dear friend,

My name is Mrs. Mary-Ann Williams, a wife of late Mr. George Williams, an
American Businessman.I got your contact through the listed postal address
in your country. I lost my husband recently to the international disaster
in West Indonesia (the Tsunami attack) and I am also receiving treatment
after the exposure to the hard conditions of the Tsunami. I have been
diagnosed with Esophageal cancer .It has defiled all forms of medical
treatment,and right now I have only about a few months to live, according
to medical experts.

My Late husband and I before is death once asked members of his family to
close one of our accounts and distribute the money which he had there to
charity organization in Ethiopia and Somalia; they refused and kept the
money to themselves. Hence, I do not trust them anymore, as they seem not
to be contended with what my late husband have left for them.

The last of my money, which no one knows of, is secured in a bank in
Europe worth US$15,000,000.00 (Fifteen million United States dollars
only)and secretly defaced and is coded for security reasons; this could be
release in short notice when a willing and acceptable partner emerges.

I will want you to help me collect this deposit and dispatched it to
charity organizations.I have set aside 20% for you and for your time
during this process

Please get back to me with the below information and i will give you more
details.

Name
Address in full
Telephone

I await your immidiate response


Regards,
Mrs Mary Ann Williams.




Please help me to understand that and where the spam is originated on my server and how solve it, I have suspended my server, and my customers are angry that they can not send mail, SOS PLEASE!

I'm so nervous byt this situation, my server is suspenden, and the technicians say me that find the solution is out of their scope, and that i must contract a advanced services paided!
I have installed RHES 3 on my server and the program that manages the email is exim.

Please help me to solve this ASAP

Seems I have the same issue via Magichost who have their servers with The Planet.

The solution apparently is to suspend the offending account and not offer any advice or help other than to make a backup I have tried to download a dozen times with no completion.

Myabe my response is harsh and I know the Planet and its resellers as I know they are not the low-life scumbags causing this nightmare for us, but surely they can reopen the accounts so we can check scripts.

And surely there is a range of solutions, this must have happened before and been fixed. There must be certain code or scripts, files, etc to look out for.

There cant be a thousand different impossible solutions and if there is then the whole internet is doomed within a very short time period.

Any help or suggestions would be much appreciated.

That's easy ... It came from Webmail on the domain cappiura.org.pe on your box. Figuring out which use it is might be a little difficult, but I'd start by maybe `grep marywilliams /home/virtual/cappiura.org.pe/var/www/squirrelmail-data' and see if you get a hit, then look at the filename to see what user it actually belongs to. Otherwise, I'd suspect the entire site until that customer gets a handle on its users...

I am have the same problem. I really don't think my customer is doing this as he got intouch with me before The Planet did and said he though something was wrong. I don't know where to look. Anyone out there able to give more advice??

From Agent lavine Ferdon Thu Dec 11 08:01:22 2008
X-Apparently-To: kolsonjk42@yahoo.com via 68.142.206.34; Thu, 11 Dec 2008 08:01:33 -0800
Return-Path: < info@grahamchurch.org>
X-YMailISG: xmBxuIUWLDtcasvOf31kMKvL3CWpDQJbfkiGDqkDSTeHFR02V6FpVbsSaE8MCMdBUrhxoJzG0LEcQSIY
byZOsuQsNo0GS7LsfvXIyzqXbGQJazd26b5JcdJRepHlMAnWbn_uDOCUxodeqIsbzoeTnJY1kp4I7WyT
4
KfFRiv8xcqbl0Ap7_utxKZ_qAb5XXq4o7Lgw8WKhC2YBdWOHILC4ll6.TWBQVa2PMOvWOw50E0kfNyEY
K
7Zbh9hlAPqljqwUU72nagAxRhlwbWyS8.JuzWCu0IweGlkfoKiN_lBQSDKhhWvgkYG5tHMfD3SoTF8.X
L
ZYcSgm.tZWWt.eznJQ1WD91JAoqYs3Thi3LQys5D4oSvKigRZRWaiy2ye5zvaCDbM.uMR
X-Originating-IP: [66.98.242.90]
Authentication-Results: mta138.mail.re3.yahoo.com from=grahamchurch.org; domainkeys=neutral (no sig)
Received: from 66.98.242.90 (EHLO srv02.arkwebs2.com) (66.98.242.90)
by mta138.mail.re3.yahoo.com with SMTP; Thu, 11 Dec 2008 08:01:33 -0800
Received: from [82.128.18.198] (helo=ikenna-5e48c657)
by srv02.arkwebs2.com with esmtpa (Exim 4.69)
(envelope-from < info@grahamchurch.org> )
id 1LAnyf-0005Yd-NA; Thu, 11 Dec 2008 10:01:28 -0600
Reply-To: < ferdon.lavine01@live.com>
From: " Agent lavine Ferdon" < info@grahamchurch.org>
Subject: CYBER WIRETAP AND FUNDS RECOVERY UNIT
Date: Thu, 11 Dec 2008 08:01:22 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset=" Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ArkWebs-MailScanner-Information: Please contact the ISP for more information
X-ArkWebs-MailScanner-ID: 1LAnyf-0005Yd-NA
X-ArkWebs-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-ArkWebs-MailScanner-SpamCheck:
X-ArkWebs-MailScanner-From: info@grahamchurch.org
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: PriAccount Management Hostname - srv02.arkwebs2.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - grahamchurch.org
Content-Length: 3336

MIME element (text/plain)
CYBER WIRETAP AND FUNDS RECOVERY UNIT,
FEDERAL BUREAU OF INVESTIGATION (FBI)
J.EDGAR HOOVER BUILDING
935 PENNSYLVANIA AVENUE,
NW WASHINGTON, D.C
20535-0001, USA.
WEB PAGE: www.fbi.gov

Kind Attention,

We believe this notification meets you in a very good state of mind and health. The FEDERAL BUREAU OF INVESTIGATION (FBI) Washington, D.C United States of America in conjunction with some other relevant Investigative Agencies here in the USA have recently been informed through our Global intelligence monitoring network that you have a pending FUND transaction with a Bank regarding to an over-due Inheritance/Award payment which was fully endorsed to be paid in your favor.

It might interest you to know that we have taken out time in screening through this whole transaction as stipulated on our protocol of operation and have finally confirmed that BARCLAYS BANK PLC,is the authorized financial institution scheduled to make your payment in line with their remittance requirements.

Several investigations by us have shown that you have been dealing with some unauthorized persons and banks regarding the transfer of these funds to your bank account.

Our UK attached agent recently had a meeting with the Manager of BARCLAYS BANK PLC, in the person of MR. NAIL WHITE along with some other top officials of BARCLAYS BANK PLC, regarding your case and they made us to understand that your file has been held in a base pending when you personally file in for your claims.

They intimated him that the only problem they are facing right now is that some unscrupulous elementS are using this project as an avenue to scam inAbuseent people off their hard earned money by impersonating to be STAFF OF BANKS and its affiliates.

We were also made to understand that a man with name Mr. Harold Bailey from Ohio,United States Of America has already contacted them and also presented to them all the necessary documentations evidencing your claim purported to have been signed personally by you prior to the release of your funds to him,though they insisted on hearing from you personally before they could go ahead on wiring the funds to the Bank information provided by the above named Man.

It is basically one of the main reasons why they contacted us,to enable us assist them in carrying out proper investigation and subsequently informing you of their mandate to remitting your funds.

Most importantly,we advise that you discontinue further dealings with any person or organization posing as staff or affiliate of any bank or agency concerning the transfer of your funds. In your own interest, you are advised to immediately contact BARCLAYS BANK PLC, LONDON on the following details for the onward remittance of your funds.

CONTACT PERSON: Mr Chris Lucas.
ADDRESS: 1 Churchill Place,Canary Wharf,London.
Private Banking Section: +(44) 7624199185.
EMAIL: barclays00098@live.com
OFFICIAL WEBPAGE: www.barclays.com

Ensure that you comply with all their remittance procedures and also furnish them with your full details (Full names and address, direct telephone and fax numbers, source of funds, Expected Amount, etc) to enable them in their verification processes before the release of your funds.

Best Regards,

Agent Lavine F. Ferdon.
FBI Special Agent.
Federal Bureau of Investigation(FBI)
Washington DC, USA.
WEB: www.fbi.gov.

Apac needs to secure the password on the webmaster account, and make sure whatever software is running on that domain is up to date.

You need to secure the password on the "info" account, and make sure whatever software is running on that domain is up to date.