How do I track this spammer?

I'm not a violent person, but I'd really like to injure this SPAMMER. Someone is either forging headers, or using a web-based service to send spam through my server. Looking at the headers, it appears he may be using apache to send the email. If such is the case, I'm not sure how to track down what account he sent the email from.

Here's the email:
- SpamCop V1.3.3 -
This message is brief for your comfort. Please follow links for details.

http://spamcop.net/w3m?i=z211768085z...44b529a6d1aa6z
Email from 207.142.0.2 / Mon, 21 Apr 2003 14:30:28 +0400

Offending message:
Return-path: <apache@users.250host.com>
Received: from users.250host.com (unverified [207.142.0.2]) by iwt.ru
(Rockliffe SMTPRA 5.2.4) with ESMTP id <B0000508555@net.iwt.ru> for <x>;
Mon, 21 Apr 2003 14:30:28 +0400
Received: (from apache@localhost)
by users.250host.com (8.11.6/8.11.6) id h3LAUif31017;
Mon, 21 Apr 2003 06:30:44 -0400
Date: Mon, 21 Apr 2003 06:30:44 -0400
Message-Id: <2003_________________1017@users.250host.com>
To: x
Subject:
=?windows-1251?B?0e/l9ujg6/zt7uUg7/Dl5Ovu5uXt6OUg5Ov/IMLg8SBzYXNoQGl3dC5ydQ=
=?=
X-SPAM-AVOWAL: This relay really hates SPAM
X-SPAM-DVOAUP: If this mail is SPAM, the sender is in direct violation of
our AUP
X-SPAM-PROMISE: Please send any complaints to moblllus@yandex.ru
From: "MOBILIUS" <moblllus@yandex.ru>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_e1576.09d37"

------=_NextPart_e1576.09d37
Content-Type: text/html; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<link rel="stylesheet" href="main.css" type="text/css">
<style type="text/css">
<!--
.form { font-family: Arial, Helvetica, sans-serif; font-size: 10px}
.text { font-family: Arial, Helvetica, sans-serif; font-size: 12px;
font-weight: normal; color: #000000; text-decoration:

none}
.red { font-family: Arial, Helvetica, sans-serif; font-size: 14px;
font-weight: bold; color: #990000; text-decoration: none}
.sn { font-family: Arial, Helvetica, sans-serif; font-size: 13px;
font-weight: bold; color: 5A638C; text-decoration: none}
.text2 { font-family: Arial, Helvetica, sans-serif; font-size: 12px;
font-weight: normal; color: #666699; text-decoration:

underline}
.text3 { font-family: Arial, Helvetica, sans-serif; font-size: 10px; color:
#009933}
-->
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" leftmargin="0" topmargin="0"
marginwidth="0" marginheight="0" rightmargin="0"

bottommargin="0">
<script language="JavaScript">
window.open("http://rd.yahoo.com/*http://www.moblllus.ru/index.php?x=042199"
, null, "scrollbars=1,status=1,menubar=1,location=1,resizable=1,top=30000");
</script>
<IMG
src="http://rd.yahoo.com/*http://www.MOBlLlUS.RU/images/px.php?m=5&s=1&listi
ng=042199">
<form method="get"
action="http://rd.yahoo.com/*http://WWW.MOBlLlUS.ru/index.php"
name="search">
<input type=hidden name=level value=12>
<table width="620" border="0" cellspacing="1" cellpadding="1" align="center"
bgcolor="CECECE">
<tr bgcolor="#FFFFFF">
<td colspan="2">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
......................
Now I'm stuck in the SpamCop blacklist (any tips for getting out of there?).

I'm not quite where to start, as this is the first possibly browser-based spam attack we've encountered. I see a lot of entries in maillog that look like:
Apr 21 04:22:10 users sendmail[4677]: h3L8M4P04674: to=astancheva@narod.ru, ctladdr=apache (48/48), delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=105443, relay=mx1.yandex.ru. [213.180.193.106], dsn=2.0.0, stat=Sent (Message accepted; S539923AbTDUIVu)
To me, this seems to indicate my server was sending these. Any way to track down who the offender may be?

Thanks,

Brian

 

 

 

 

Top