Stopping spammers using smarthosting

[satch89450]

I have a problem. One or more spammers, under the guise of Goody Two Shoes otherwise unknown, have signed up for services on my Plesk server. They have nice, innocent Web sites. What they have done is smart host their spam-spewing engines to use otherwise squeaky-clean mail accounts to send their spew, specifically to AOL.

What is the way to trace a particular spam to a particular SMTP-authenticated mailbox in this version of QMAIL? I want to close the account that is smart-hosting the spammer.

I've looked in all the logs, and find zero way to correlate a given message to a single mailbox (username@domain) -- the best I've been able to do is to guess which of two hundred accounts may be involved in the smarthosting.

Of course, AOL is blocking some of my Plesk servers over this, which is raising holy hell with the REST of the mail on the servers. QMail simply can't handle thousands of 451 responses.

I've tried blocking the ultimate source addresses, but the growing use of trojaned systems to send such stuff makes the IP approach virtually useless. I was able to stop one smart-hoster only because he was too stupid to disguise his PlanetIT IP address. Others are doing a marvelous job.

 

[poke]

Look to see if anyone internally is screwing with you.... Most spam attacks like this originate from your one jerk off client..

 

[satch89450]

That's the problem. I have more than 150,000 mailboxes here, and any <n> could be providing relay service to a spammer. With a CPanel system at least I have log entries to help try to trace a Bad Guy(tm).

I'm looking for the same capability in my Plesk systems. Given a spam complaint, how do I trace it back to someone who is "screwing with me"? With six people total, it's not an inside job. It's a customer.