Please Help! Our email server is sending spam!!!

[badassjoe]

We are a small company with 15 users and we have been blacklisted in several sites for sending spam, everytime we ask for removal, they do, but after few days, we are there again.

Cash flow in the company is really tight, we can not afford to pay a tech guy!.

Any help!!

 

[giblets]

I'm not the person to help find the evil program lurking on Windows but, have you actually identified it's the mail server and not one of the clients?
I would disconnect till you find it and scan all the systems there.
If you can analyze the traffic on your network you could narrow down which machine it is. On Windows, you could use wireshark.

Found you an intro: http://www.mynetwatchman.com/pckidiot/nattrack.htm

 

[Imperfect1]

Which email client are you using? There are ways to identify the actual 'sender' of the infected emails, depending on which email client you're using.

WINDOWS LIVE MAIL or HOTMAIL
If you're using Windows Live Mail or Hotmail, open the email sent by the hacker. Click on the down-arrow next to Reply. Select: “View Message Source.” Scroll down to Sender’s (hacker’s) name listed following the text that says : X-SID-PRA:
The sender’s IP address will be listed following either (1) X’Originating-IP: or (2) Received From: (The IP address will be a number in brackets, like this: [123.456.78.91]).

Then go to a utility such as whois which will identify the identity and location of the hacker’s IP, from which the email was sent.

(You can also report the hacking to Microsoft and provide this information, along with the other information requested when reporting the hacking.)

YAHOO MAIL
If your Yahoo Mail has been hacked, first go to: http://help.yahoo.com/l/us/yahoo/mail/classic/contacts/spam-03.html for help from Yahoo Mail.

To identify the hacker and report the abuse, go to this page and fill out the form: http://help.yahoo.com/l/us/yahoo/mail/classic/abuse.html
To identify the hacker, open the hacked email message and locate the 'Header' relating to the hacker's identity. The Header contains an Internet Protocol (IP) address that corresponds to the sender's Internet service provider (ISP).

To located the Header:
Select and Open the hacked email. Look to the very bottom-right corner of the email and select Full Headers. You'll then see a long list of technical information, most of which will not be easily readable. The IP address of the hacker will follow text saying Received from and will be a number in brackets ([123.456.78.91]). Copy the number and then go to a utility such as whois which will tell you the name of the hacker from which the email was sent.

(For additional help, Yahoo also has a Hacking Forum at “Y-Mail” discussion group.)