Help, how can i find this spammer on my server?

AbeFroman

BANNED
Feb 16, 2002
644
1
318
I dont host any of the domains in this email and my hosting company says they will shut me down if these emails continue, how can i find out who is sending this?
- SpamCop V1.3.3 -
This message is brief for your comfort. Please follow links for details.

http://spamcop.net/w3m?i=z324661915zbcc7fd983354c682c235aea1f0e4e1a2z
Email from 205.243.144.1 / Fri, 4 Jul 2003 14:08:34 -0400

Offending message:
Return-Path: <[email protected]>
Received: from clerk.com (server114.wehosting.com [205.243.144.1])
by compudirectinc.com (8.12.9/8.12.8) with SMTP id h64I8XhL019076
for <x>; Fri, 4 Jul 2003 14:08:34 -0400
Received: from comic.com (21406 [168.239.192.121]) by athenet.net (8.12.1/8.12.1) with ESMTP id 18990 for <x>; Mon, 30 Jun 2003 14:11:05 -0700
Received: from euskalnet.net ([241.71.142.16]) by newnorth.net (8.9.3/8.9.3) with SMTP id 19616 for <x>; Sat, 28 Jun 2003 06:59:56 -0700
Date: Fri, 4 Jul 2003 14:08:25 -0400
Wrom: YZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWF
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-Priority: 2 (High)
Message-ID: <[email protected]>
To: x
Subject: 100% Safe To Take, With NO Side Effects
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------1057352905793651856"
X-UIDL: <p+"!Y_m"!-K6"!ph="!

<html><body text=#000000 bgcolor=#FFFFFF link=#FF0000 vlink=#CC0000 alink=#FF0000> <div align="center"><font face="Georgia, Times New Roman, Times, serif"><b>Introducing VP-RX Pills</b><br> <b><font color=#000099 size=4>NO.1 Penis Enlargement Pill On The Market!</font></b><br><a href="http://www.herbalpillsonline.biz/cgi-bin/affiliates/click.cgi?id=pills05"><img src="enlarge.gif" width=288 height=75 border=0></a><br> * Gain <b>3+ Full Inches</b> In Length<br> * Expand Your Penis <b>Up To 20% Thicker</b><br> * Stop Premature Ejaculation!<br> * Produce <b>Stronger Erections</b><br> * <b>100% Safe To Take</b>, With No Side Effects<br> * Fast Distribution Worldwide<br> * Sold Over 1.2 Million Bottles!<br> * <b>No Pumps! No Surgery! No Exercises!</b><b><A HREF="http://www.herbalpillsonline.biz/cgi-bin/affiliates/click.cgi?id=pills05"><br> <br> <font size=5>READ MORE HERE<br> Do not loose you chance to be<br> a REAL MAN</font></A></b></font><br><font color=#FFFFFF>http://www.herba!
lpillsonline.biz/cgi-bin/affiliates/click.cgi?id=pills05</font></div></body></html>

cPanel.net Support Ticket Number:
 

twhiting9275

Well-Known Member
Sep 26, 2002
560
28
178
cPanel Access Level
Root Administrator
Twitter
Use the tools given to you in Exim/WHM

Firstly, use the manage mail stats link. This will tell you who's SENT the most mail, among other things.

Secondly, use the mail queue option. With most, you will find that there's a bunch of mail waiting to be sent, cuz it's sent to the wrong address, or the address doesn't exist or some crap.

Thirdly, use the built in linux commands to search for anything involving that IP address, or that domain , both in the log directory and apache's logs.

cPanel.net Support Ticket Number:
 

AbeFroman

BANNED
Feb 16, 2002
644
1
318
Is this it?
Top 50 local destinations by message count
------------------------------------------

11954 62621793 :blackhole:
1943 3254525 ewocion
407 1808870 cybrport
271 3766984 vlp
270 1410813 fathergo
261 1392809 dave
245 1198507 tranzdat
180 2074095 bootyma
166 790691 condon
150 650101 /dev/null
112 2440870 info
107 440353 guddie
100 571312 oficina
89 389548 elliott
89 315281 robmanc
81 623549 cduff
78 407354 usmaleo
76 516048 |/usr/local/cpanel/3rdparty/mailman/mail/wrapper mailowner albemigrant_albemigrant.com ([email protected]m)
74 3754899 tim
68 307768 mandar
68 201359 mail
60 342347 dstorey
51 3132304 ceo
51 1302035 rlyon
46 209672 marquisj
44 290285 dan
42 168784 marys
42 163402 kagi
41 133830 jameshom
40 141592 ken
33 271123 biofuel
30 287712 dustin
30 205698 stmerid
29 6291857 rosiewol
28 299287 surpin
28 208543 jlibson
27 103935 |/usr/bin/perl /home/vlpnet/www/cgi-bin/arp3/arp3-emailcapture.pl ([email protected]) <[email protected]>
25 346821 |/usr/local/cpanel/bin/autorespond [email protected] /home/albemigr/.autorespond ([email protected])
25 127201 poteauc
25 124794 catchall
25 107765 intl-bus
24 122670 djflako
23 109765 upno
23 62565 |/usr/bin/perl /home/vlpnet/www/cgi-bin/arp3/arp3-emailcapture.pl ([email protected])
22 333086 rastafas
21 866795 admin
21 65918 ic8
21 50281 /dev/null
20 2099043 andrew
20 362856 trhughes

cPanel.net Support Ticket Number:
 

tAzMaNiAc

Well-Known Member
Feb 16, 2003
558
0
166
Sachse, TX
Hmm..

From SpamCop's Report:
===================
Parsing header:

Received: from clerk.com (server114.anhosting.com [205.243.144.8]) by compudirectinc.com (8.12.9/8.12.8) with SMTP id h64I8XhL019076 for <x>; Fri, 4 Jul 2003 14:08:34 -0400
Possible spammer: 205.243.144.8
205.243.144.8 is not an MX for server114.anhosting.com
host server114.anhosting.com (checking ip) = 205.243.144.8
Received line accepted

Received: from comic.com (21406 [168.239.192.121]) by athenet.net (8.12.1/8.12.1) with ESMTP id 18990 for <x>; Mon, 30 Jun 2003 14:11:05 -0700
host 205.243.144.8 (getting name) = server114.anhosting.com.
host server114.anhosting.com (checking ip) = 205.243.144.8
205.243.144.8 not listed in dnsbl.njabl.org
205.243.144.8 not listed in proxies.blackholes.easynet.nl
205.243.144.8 not listed in dnsbl.sorbs.net
205.243.144.8 is not an MX for athenet.net
205.243.144.8 is not an MX for compudirectinc.com
205.243.144.8 not listed in dnsbl.njabl.org
Possible spammer: 168.239.192.121
host athenet.net (checking ip) = 209.103.196.8
209.103.196.8 not listed in dnsbl.njabl.org
209.103.196.8 not listed in proxies.blackholes.easynet.nl
209.103.196.8 not listed in dnsbl.sorbs.net
Chain test:athenet.net =? server114.anhosting.com
host server114.anhosting.com (checking ip) = 205.243.144.8
205.243.144.8 is not an MX for athenet.net
host athenet.net (checking ip) = 209.103.196.8
205.243.144.8 is not an MX for athenet.net
Chain test failed
Chain test:athenet.net =? 205.243.144.8
205.243.144.8 is not an MX for athenet.net
host athenet.net (checking ip) = 209.103.196.8
205.243.144.8 is not an MX for athenet.net
Chain test failed
Routing details for 205.243.144.8
De-referencing [email protected]
abuse net xnet.com = [email protected], [email protected], [email protected], [email protected]
Report routing for 205.243.144.8: [email protected], [email protected], [email protected], [email protected]
[email protected] redirects to [email protected]
I know this ISP's abuse address:[email protected]
Chain error athenet.net not equal to last sender received line discarded


Tracking message source: 205.243.144.8:
Cached masters for 205.243.144.8: [email protected] [email protected] [email protected] [email protected]
Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on Fri, 4 Jul 2003 14:08:34 -0400

cPanel.net Support Ticket Number: