Spam sent via webmail or web application?

[musictus]

I run a CentOS 5 server with Plesk 8.3

Recently I have been reported that my server is sending out spam. Smpt_auth is forbidden.

I found this in /usr/local/psa/var/log/maillog.processed

Mar 11 11:44:42 aresca6 relaylock: /var/qmail/bin/relaylock: mail from 127.0.0.1:44292 (localhost)
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: Handlers Filter before-queue for qmail started ...
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: [email protected]
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: [email protected]
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: hook_dir = '/var/qmail//handlers/before-queue'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: recipient[3] = '[email protected]'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: handlers dir = '/var/qmail//handlers/before-queue/recipient/[email protected]'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: starter: submitter[31447] exited normally

and in /var/log/messages

Mar 11 11:44:42 aresca6 xinetd[2385]: START: smtp pid=31443 from=127.0.0.1
Mar 11 11:44:42 aresca6 xinetd[2385]: EXIT: smtp status=0 pid=31443 duration=0(sec)

I found a lot of these lines in maillog
"mail from 127.0.0.1:44292 (localhost)" where pnly the port number changes.

A sent spam message reported to me stated this header:

Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700

Any ideas of how to block this spam source?

 

[musictus]

I received this report by spamcop, any further help to trace this problem?

[ Offending message ]
Return-Path: <[email protected]>
Delivered-To: x
Received: (qmail 14377 invoked from network); 16 Mar 2008 16:24:08 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade4
X-Spam-Level: ********
X-Spam-Status: hits=8.3 tests=FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,
GEO_QUERY_STRING,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,
MSGID_OUTLOOK_INVALID,UNPARSEABLE_RELAY version=3.2.4
Received: from unknown (192.168.1.107)
by blade4.cesmail.net with QMQP; 16 Mar 2008 16:24:08 -0000
Received: from begames.com (69.12.148.192)
by mx70.cesmail.net with SMTP; 16 Mar 2008 16:24:08 -0000
Received: by begames.com (Postfix)
id 2FF60A2FCAC; Sun, 16 Mar 2008 09:24:08 -0700 (PDT)
Delivered-To: x
Received: from aresca6.teknosurf.it (aresca6.teknosurf.it [204.15.54.192])
by begames.com (Postfix) with SMTP id 926DAA2FCAB
for <x>; Sun, 16 Mar 2008 09:24:04 -0700 (PDT)
Received: from enjoy-a-ball.com (141.251.106.199)
by aresca6.teknosurf.it; Sun, 16 Mar 2008 17:24:08 +0100
Message-ID: <[email protected]>
Reply-To: Ryder <[email protected]>
From: Ryder <[email protected]>
To: x <x>
Subject: Guy saucking coaack while gets his coaack saucked woman
Date: Sun, 16 Mar 2008 17:24:08 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0043_01C4F22E.ED7DEAA4"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=8

------=_NextPart_000_0043_01C4F22E.ED7DEAA4
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hoat looking wife with big boobs having secs with her hubby on camera test =
manager <BR>=0D
<a href=3D"http://geocities.com/LupeSampson85/?ge=3Dtax">SIutty Diana Harrd=
core Phooatos</a><BR>=0D
<BR>=0D
oil when we can no longer three rub <BR>=0D
ray Did that Lady never go; come trouble <BR>=0D
Though your hat may blow away, manager selection plant design <BR>=0D
=0D

------=_NextPart_000_0043_01C4F22E.ED7DEAA4--