Hi Michael,
Do you have a half way recent AV-SPAM installed on it? Version 6.1.0 or better? The most recent one is 6.2.1. Mine says 6.3.0-1 ( Under "Network Settings" / "AV-SPAM" / "Services" see if "Milter-GeoIP" is enabled. If not, turn it on. Yes – already enabled. Then in the "GeoIP" tab tick the boxes for "Suspend Accounts" and "Enforce Email Limits". Okay done that. Set the limits for "Service Accounts", "Virtual Sites" and "Users" as per your liking. You can still change them to different settings for each individual Vsite and User, but these will be the initial (default) values that will be used once this feature is enabled. Set them all low. Milter-GeoIP will now track the email volume (outgoing) of your server and will help you to pinpoint who sends how much. As this ties into Sendmail it'll give you the actual user names under which the outgoing emails are created. Under "Usage Information" / "Email" you will see "Email Traffic as reported by Milter-GeoIP". Excellent … this will help. If the culprit is a certain User of a Vsite, then you can directly see this there once some activity has been recorded by Milter-GeoIP. Additionally: Once a user is close to sending more emails than allowed (>75% of allowed usage), both you and the user will get a warning. If he reaches his hard daily limit for outgoing emails, then no further email can be sent by him and another warning is generated. Lastly: If a user with valid login details tries to send email from blacklisted a country, then Milter-GeoIP can either block that or even suspend the account automatically if you configure this. But it at least generates a warning if valid login details are used from suspicious countries. Now if the culprit is a system account such as "apache"? Milter-GeoIP will tell you as well and also enforces limits and cutoffs on that. If all Vsites run their PHP scripts as a siteAdmin of a Vsite and one of their PHP scripts creates the SPAM? In that case the offender will be the name of the siteAdmin account of that Vsite, which makes it easy to find. Most of this doesn't outright stop the sending of SPAM, but it raises the yellow and red flag early and lets you know if something fishy happens. Additionally it aids in identifying the culprit and limiting the volume of SPAM that he might get out. As some mentioned already: There are sneaky ways of sending outgoing emails. But if it runs through Sendmail, then Milter-GeoIP will see this and will report it. It doesn't catch those cases where a compromise brought its own SMTP-mechanism aboard which bypasses Sendmail, though. But these are sufficiently rare anyway. And as always: If you need a hand, send me the login details offlist and I'll take the shotgun and shovel to this case. ;-) Brilliant advice. I will do my own digging initially using your suggestions but if I need your shotgun and shovel I will shout! ( All the best and thanks Colin _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx