1. Are you seeing bounce messages (i.e. a spam/virus is using their email address in the email header) or are they the original messages coming from your server?
2. You need to establish whether the emails are being generated locally (e.g. through a script) or remotely (someone has gained access to their account)
3. If they're being generated locally on your server, then that use most likely has a vulnerable CGI or PHP script in their account
2. You need to establish whether the emails are being generated locally (e.g. through a script) or remotely (someone has gained access to their account)
3. If they're being generated locally on your server, then that use most likely has a vulnerable CGI or PHP script in their account
The user have changed all password that is possible to change.
And there are no cgi/php scripts that i can find locally on the server, so i'm kind of stuck here.
How can i find out if he's bounceing the messages?
Before it was sending like 2000mails each day, now it's about 150mails.
And there are no cgi/php scripts that i can find locally on the server, so i'm kind of stuck here.
How can i find out if he's bounceing the messages?
Before it was sending like 2000mails each day, now it's about 150mails.
