This is not spam. This is the W32/Hybris worm. Your user is infected.
Check the logs for the email message immediately preceding this one.
That's probably your infected user, since Hybris attaches itself to
the wsock2.dll library and sends out an email message immediately
after a valid one is sent.
See the following for more information on Hybris:
http://www.sophos.com/virusinfo/analyses/w32hybrisd.html
http://www.zdnet.com/anchordesk/stories/story/0,10738,2716778,00.html
http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html
http://www.sophos.com/virusinfo/articles/navidad.html
Enjoy,
JS
On Wed, May 16, 2001 at 03:27:17PM -0400, Kirti S. Bajwa wrote:
> From: "Kirti S. Bajwa" <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: failure notice
> Date: Wed, 16 May 2001 15:27:17 -0400
> X-Mailer: Internet Mail Service (5.5.2653.19)
>
> Hi:
>
> Somebody is using our company's mail server to send Spam mail. Following is
> a copy of the bounced message. I have received hundreds of these messages. I
> have looked into qmail-send logs and find bounced messages but the from
> address is "garbage".
>
> It seems that person who is sending SPAM is a regular dial-in customer. For
> example, the message below, this person logged in as a dial-in customer and
> was assigned an IP address of 63.113.255.43, which is a valid IP address for
> the dial-in modem bank.
>
> From this message or from qmail-send logs, I can't find out the user id of
> this person. Is there any way I can stop it or better to find out who this
> person is (sending SPAM)?
>
> Kirti
