How to track down a relayed spammer using our box?

[Traged1]

I have a few PLESK 8.1 Windows boxes with Mail Enable Pro MTA. I have been getting hundreds of mail failure notices like the following:

MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:

Recipient: [SMTP:[email protected]]
Reason: Remote SMTP Server Returned: 550-"The recipient cannot be verified. Please check all recipients of this
550 message to verify they are valid."


Message headers follow:

From: "Postmaster" <Postmaster>
To: <[email protected]>
Subject: Delivery Failure
Date: Sun, 24 Dec 2006 06:30:47 -0500
Message-ID: <[email protected]>
Precedence: bulk

This does not provide much info on the source of the spam?

Tracking down [email protected] in the SMTP action log shows:

12/24/06 06:30:42 SMTP-IN 4A0AAAB5B73044B8BD211C1C97779406.MAI 1108 70.114.215.179 EHLO EHLO 250-xtreme-host.biz [70.114.215.179], this server offers 4 extensions 133 7
12/24/06 06:30:42 SMTP-IN 4A0AAAB5B73044B8BD211C1C97779406.MAI 1108 70.114.215.179 MAIL MAIL FROM: <[email protected]> 250 Requested mail action okay, completed 43 39

How do I find the script which is relaying this spam from our servers? Any idea's??

The server is setup to auth all smtp connections, so this must be a user script or account setup on the server by one of our customers which is being used for spamming, as a result our IP's are getting blacklisted by many rbl's. We need a means to track this spammer down, please help.

 

[taylort]

What type of scripting do you offer on your servers? Look at the PHP, ColdFusion, ASP, etc logs to see what email they're passing onto your mail server(s). Also look for "form-mail" scripts that are being exploited.

Hope that helps a bit. Let us know what you find.

 

[DReffects]

would be interested in this one too