SMTP Spamming?

2025-04-16

Hey guys,
I'm having a bit of confusion tracking down a spammer on the server. It seems that they are using SMTP for their spamming activities, but the weird thing is that I cant get a username or an ip because when they spam its showing it from localhost 127.0.0.1... I have some snippets from the WHM Manage Mail Queue:

1Dz6Qn-0007Pf-HD-H
mailnull 47 12
<>
1122787933 0
-ident mailnull
-received_protocol local
-body_linecount 72
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1122847770
-localerror
XX
1
oppsforyou@replyxp.com

153P Received: from mailnull by host.server.com with local (Exim 4.50)
id 1Dz6Qn-0007Pf-HD
for oppsforyou@replyxp.com; Sun, 31 Jul 2005 01:32:13 -0400
047 X-Failed-Recipients: chavezpatty@eart*****.net
031 Auto-Submitted: auto-generated
064F From: Mail Delivery System <Mailer-Daemon@host.server.com>
027T To: oppsforyou@replyxp.com
059 Subject: Mail delivery failed: returning message to sender
053I Message-Id: <E1Dz6Qn-0007Pf-HD@host.server.com>
038 Date: Sun, 31 Jul 2005 01:32:13 -0400

Then the BOUNCEBACK:

1Dz6Qn-0007Pf-HD-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

chavezpatty@eart*****.net
SMTP error from remote mailer after RCPT TO:<chavezpatty@eart*****.net>:
host mxe.eart*****.net [209.86.93.239]: 550 chavezpatty@eart*****.net...User unknown

------ This is a copy of the message, including all the headers. ------

Return-path: <oppsforyou@replyxp.com>
Received: from localhost ([127.0.0.1]:45198 helo=replyxp.com)
by host.server.com with esmtp (Exim 4.50)
id 1Dz6Qj-0007PJ-87
for chavezpatty@eart*****.net; Sun, 31 Jul 2005 01:32:09 -0400
Message-Id: <98097917254.2005jbsd3322@msg.replyxp.com>
X-Delivered-To: ds4@replyxp.com
Date: Sun, 31 Jul 2005 04:32:09 -0100
Received: (from nobody@localhost) by localhost (127.0.0.1) id 2343242 Sun, 31 Jul 2005 04:32:09 -0100
X-Sender: <oppsforyou@replyxp.com>
Mime-Version: 1.0
From: <oppsforyou@replyxp.com>
To: "patrisia chavez" <chavezpatty@eart*****.net>
Subject: Insanity!
Reply-To: <oppsforyou@yahoo.com>
Message-ID: <sid=44048736&rid=28915&seq=2&oid=2313@replyxp.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi patrisia,

A short time ago, a friend shared the following thought....

The definition of INSANITY is.....doing the same things over and over, and expecting different results......

When you think about it, it\'s absolutely true. If you are not happy with your situation for any reason....whether you desire more time....more money....more freedom in general....
You must change from the way you have always done things.

I\'m really not trying to sell you anything.....but I will share with you information that can help you accomplish all of your lifes goals.....and take control of your financial destiny....

Take the next 5 minutes and watch my short movie....Just click on the link, and you will start down the path so many others have followed to achieving their dreams....

http://TheFreedomTeam.ws

Contact me anytime by phone or email, and I will show you just how easy it is to get started.

I look forward to hearing from you soon!!!

John J Evans
oppsforyou@yahoo.com
208-766-2758
http://TheFreedomTeam.ws

----------------------------------------------------------------
Stop! Claim your 50 exclusive tryout leads before they go stale.
Plus get 30 day autoresponder trial - No Cost, No Exceptions!

http://oppsforyou.replyxp.com/ [ For Limited Time Only ]
----------------------------------------------------------------

Sender's Address:
John Evans
5071 S 4600 W
Samaria ID 83252
United States
Sender's Email: oppsforyou@yahoo.com

To unsubscribe or change subscriber options visit:
http://replyxp.com/z/rmv.pl?es=hzzdz...id=28915&seq=2

and something from ssh would look like:

2005-07-31 19:12:21 SMTP connection from localhost (ultrafastreply.com) [127.0.0
.1]:39879 I=[127.0.0.1]:25 closed by QUIT
2005-07-31 19:12:21 1DzMyj-0001nT-87 <= monica@thereplyzone.com H=localhost (the
replyzone.com) [127.0.0.1]:39881 I=[127.0.0.1]:25 P=esmtp S=1636 id=93875628444.
2005jbsd3322@msg.thereplyzone.com T="Remember that part-time gig?" from <monica@
thereplyzone.com> for cocalina@excite.com
2005-07-31 19:12:21 SMTP connection from [127.0.0.1]:39884 I=[127.0.0.1]:25 (TCP
/IP connection count = 2)
2005-07-31 19:12:21 SMTP connection from localhost (thereplyzone.com) [127.0.0.1
]:39881 I=[127.0.0.1]:25 closed by QUIT

I'm usually able to fix things like this but this is something else to me. I've tailed the logs as well as installed phpsuexec and a sendmail mod that helps with tracking, added the choon mod for php script mail tracking.

The above domains arent hosted on our servers either. Any and all help will be greatly appreciated.