Spammer abusing Microsoft SMTPSVC, Need advice! Please read!

By davidf ·
Environment: W2k3, IIS6, Microsoft SMTPSVC 6

I have a spammer probably using some form of formmail / smtpsvc and spamming off my server. I have a shared environment and need advice on how to tell which user is doing the spamming. Any advice?

Received: from maxima8 ([***.***.***.***]) by with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 10 Jan 2007 15:04:49 -0800
Date: Wed, 10 Jan 2007 15:04:49 40800
From: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Message-I <>
X-OriginalArrivalTime: 10 Jan 2007 23:04:49.08** (UTC) FILETIME=[BAD6F330:01C7350B]

Dear friend
As you read this, I don't want you to feel sorry for me, because, I
believe everyone will die someday. My name is Steve Douglas I am a
merchant of Omani nationality but presently residing in london. I have been
diagnosed with Esophageal cancer .It has defiled all forms of medical
treatment, and right now I have only about a few months to live, according
to medical experts.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Inside or outside origin?

by Toivo Talikka In reply to Spammer abusing Microsoft ...

Did you receive this message from someone from outside your network, as a bounced message?

What makes you believe that the message originated from your server? Email headers can be forged, I believe. The spammers and authors of malware try to get you to open the message with their payload.

Have you checked the mail log files in your server to verify if the original message was sent from your server?

Collapse -

Quite right.

by deepsand In reply to Inside or outside origin?

The alleged "sender" is in many cases the real target. Given a sufficiently large number of arbitrary "recipient" & "sender" addresses, a good portion are sure to be be bounced back to a real address, in the hopes that the "sender" will be fooled into accepting the payload.

Collapse -

Not exactly.

by davidf In reply to Spammer abusing Microsoft ...

The server is a shared hosting environment with 2000 sites on it. The spammer has a script in a directory that is relaying through the localhost because of formmail etc using anon. access.

What I need is a method to find out which website/user is relaying from the SMTPSVC at what time. If I could monitor when a socket was open, by which process, and by which user it would give me the information to shut down the correct user/site.

Thats what I need.

Related Discussions

Related Forums