Spam possibly send through our server

We recently received a email from our datacenter that account at our server was possibly sending spam. Here are the headers of spam message received from SpamCop:

Return-Path: <engzos@rc-harrastus.com>
Delivered-To: x
Received: (qmail 4073 invoked from network); 8 Apr 2004 19:36:51 -0000
Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)
by blade6.cesmail.net with SMTP; 8 Apr 2004 19:36:51 -0000
Received: from mailgate.cesmail.net (216.154.195.36)
by c60.cesmail.net with SMTP; 08 Apr 2004 15:36:51 -0400
Received: (qmail 23817 invoked from network); 8 Apr 2004 19:36:50 -0000
Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
by mailgate.cesmail.net with SMTP; 8 Apr 2004 19:36:50 -0000
Received: from sextitan.com [66.230.161.98]
by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)
for x (single-drop); Thu, 08 Apr 2004 15:36:50 -0400 (EDT)
Received: from rc-harrastus.com (alpha.verkkomestari.com [66.246.110.187])
by wicked.internal.realitychecknetwork.com (8.12.8p1/8.12.8) with SMTP id i38J89qp035187
for <x>; Thu, 8 Apr 2004 15:08:09 -0400 (EDT)
(envelope-from engzos@rc-harrastus.com)
Received: from pc36363.lan.rc-harrastus.com (localhost [127.0.0.1]) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9) with ESMTP id 3238353637 for x; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Received: (from root@localhost) by pc36363.lan.rc-harrastus.com (8.12.9/8.12.9/Submit) id 3238353637; Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Date: Thu, Apr 8 2004 22:19:47 +0200 (CEST)
Message-Id: <3431____________3035@pc36363.lan.rc-harrastus.com>

We have been now investigating this, and know that the person who owns rc-harrastus.com is not sending the spam. He is only using PHP-nuke on his website, and I don't know if there is any vulnerability in PHP-nuke that would make it possible to send spam via it (he is not using webmail of PHP-nuke). We have been looking server mail logs etc. but haven't been able to find any information.

According to WHM of server there has been 23 393 received and 23 153 send messges between 4th and 9th of April. I believe this is typical for our server, as we have about 400 accounts at the server. Also there is only 100-200 messages in queue (most of them MailScanner messages as it try to respond to email addresses sending virus messages).

Would it be possible that this spam wasn't send through our server, even our IP is in the header?

Any help would be appreciated, so that we could solve this problem.

 

 

 

 

Top