HELP! Somebody has hijacked my email system

I have over 600 of these going out from my server right now, i just caught it, and i cant find the source!!!!

2003-04-14 15:07:03 195C6Q-0004zd-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527120 id=E195AKc-00088X-00@myserver.com
2003-04-14 15:07:03 195C6I-0004zJ-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168
2003-04-14 15:07:03 195C6I-0004zJ-00 Completed
2003-04-14 15:07:08 195C6V-0004zr-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527650 id=E195AKc-00088X-00@my.server.com
2003-04-14 15:07:09 195C6Q-0004zd-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168

The only thing i can do it shut down Exim to stop it. How can i find out who this is? Thats because cpanel allows messages to be send out of the server as nobody!

 

Nope, so far they cant do it, isnt it amazing look at this

12-13 53 ....
13-14 616 ...................................................
14-15 394 ................................
15-16 83 ......

sent in 1hr as nobody! Im still trying to stop this crap from leaving my server.

 

I did that already and that doesnt work dgbaker. I just finished installing a mail monitor script that will tell me whos sending it. Any msgs over 5 msgs will halt the sender.

 

Dont know how this phpsuexec works but after i recompiled my system last night to include it Squirrelmail was inaccessible throughout the entire system. And we had all kinds of permission problems all over the server.

 

Very strange, it doesnt seem to be coming from my server. Wait localhost coming in then going straight out? I dont get this.

 

anyone know how i can setup an exim rule to prevent delivery of messages to a domain..

These messages are being sent to NOT.COM that has an ip of 0.0.0.0.

 

Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.

 

We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.

 

Im really reluctant to change all the permissions only to find out it didnt work and be stuck with a bunch of nonworking sites. Has anyone done this and knows it works for sure?