Please help me find this spammer

[gal3ler]

I have been trying to stop this spammer for weeks now and I can't find them. Here is a copy of the spam message:

1ExZ0l-0004lt-6P-H
root 0 0
<service@chase.com>
1137197475 0
-helo_name User
-host_address 80.97.186.54.2875
-host_auth fixed_login
-interface_address 70.85.134.15.25
-received_protocol esmtpa
-body_linecount 59
-auth_id smart
-deliver_firsttime
-host_lookup_failed
XX
100
mike.w.ross@gmail.com
mike.wechsberg@cox.net
mike.wong@nyu.edu
mike.zeigler@utah.edu
mike@21stcenturytransportation.net
mike@americanalive.net
mike@arl.arizona.edu
mike@asgoodasitgoetz.com
mike@campusspeak.com
mike@careyatlanta.com
mike@coxaviation.net
mike@cross-browser.com
mike@cs.utah.edu
mike@documentationexpress.com
mike@engineering-software.com
mike@eolas.com
mike@ibmchim1.ch.unito.it
mike@idle.org
mike@kiteboarding.ca
mike@lawyerinjuryexpert.com
mike@lomonico.com
mike@m-13.com
mike@melia.com
mike@mheim.com
mike@michaelmoore.com
mike@mikeagranoff.com
mike@mikefried.net
mike@mpnsoft.com
mike@mulman.com
mike@paxchristiusa.org
mike@pc759.cs.msu.su
mike@photoreaserchers.com
mike@photoresearchers.com
mike@psych.nyu.edu
mike@rankandfile.org
mike@repsofpain.com
mike@sentex.ca
mike@shiftcontrol.org
mike@spec.u-net.com
mike@spyware.atspace.biz
mike@tawayama.com
mike@virtualdigitalimaging.com
mike@wernert.com
mike_almasy@hotmail.com
mike_choquette@hotmail.com
mike_colon@hotmail.com
mike_finkel@yahoo.com
mike_george@mail.utexas.edu
mike_lewis@vanderbilt.edu
mike_mcgovern@yahoo.com
mike_mcgrady@yahoo.com
mike_mcgrath@lineone.net
mike_mollusk@yahoo.com
mike_n_s@hotmail.com
mike_regans@ncsu.edu
mike_saun@hotmail.com
mike_shu@hotmail.com
mike_tse@hotmail.com
mike_wolin@nymc.edu
mike122@bellsouth.net
mike31@peoplepc.com
mike331199@yahoo.com
mike4musik@aol.com
mike9560@bellatlantic.net
mikeandsharon91@hotmail.com
mikeapmann@hotmail.com
mikeat1140@aol.com
mikeb100@aol.com
mikebann@ufl.edu
mikeber@execpc.com
mikebl4482@aol.com
mikeblanc@aol.com
mikebrim@msn.com
mikeburke99@yahoo.com
mikec@ext.usu.edu
mikec375@aol.com
mikec375@yahoo.com
mikecahn@kingwoodcable.com
mikecatrin@aol.com
mikechen@cs.berkeley.edu
mikeckmei@yahoo.com
mikedbull@yahoo.com
mikedg@buffalostate.edu
mikeeriksson@utah.gov
mikef@emailremoved.com
mikefazio@comcast.net
mikefleche@alumni.lemoyne.edu
mikeg@1015thefox.com
mikeg@csmd.edu
mikeg3@earthlink.net
mikeg8r@yahoo.com
mikegal@att.net
mikegarcia@utah.gov
mikegbarth@comcast.net
mikegranick@verizon.net
mikegranick@worldnet.att.net
mikeh@brooklyn.cuny.edu
mikeh@media.mit.edu
mikeh@passeybond.com
mikeh411@aol.com

153P Received: from [80.97.186.54] (port=2875 helo=User)
by wizard.xxxx with esmtpa (Exim 4.52)
id 1ExZ0l-0004lt-6P; Fri, 13 Jan 2006 18:11:23 -0600
045F From: "service@chase.com"<service@chase.com>
059 Subject: Security Measures.Renew your account immediately!
038 Date: Sat, 14 Jan 2006 02:11:14 +0200
018 MIME-Version: 1.0
049 Content-Type: text/html;
charset="Windows-1251"
032 Content-Transfer-Encoding: 7bit
014 X-Priority: 1
024 X-MSMail-Priority: High
051 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


No it's not a nobody spammer I already checked for that. It appears they are connecting via Outlook Express, changing the from address and authenticating.

Steps to stop it:

Install HELO Tests - doesnt stop it
Monitor Sendmail - Nothing
Netstat - Shows user 47 (mailnull)

Someone Please help me stop them from spamming through this box.

[lloyd_tennison]

Backtrack the message ID in exim_mainlog and then you will see who authenticated and then know who the sender was. I would also use some to the rules mentioned for limiting bcc's.

1ExZ0l-0004lt-6P

[chirpy]

Actually, it's all in that exim mail header:

-host_auth fixed_login
-auth_id smart

That spam was relayed through your server by the cPanel account smart using SMTP AUTH. That user either:

1. Has a week password that has been guessed
2. Has a virus that is using their local PC(s) to send out spam
3. Is a spammer

Solution: suspend account until user guarantees that it wasn't done deliberately and that they've clean off all viruses/adware/spyware on all local PCs using that account and have changed all their password.