Help - This one is tough

[Bill B.]

Assume the following:

Hostname = system1

O/S = Windows 2000 Pro



I started getting some EMAIL from spamcop informing me that system1 is
sending out SPAM via SMTP. I had a tech check out system1 and ensure that
the O/S and antivirus were up to date and scan it for viruses. The system
came back clean, so I wrote this issue of as a glitch.



I kept getting EMAIL from spamcop and decided to check out the system
myself. Norton does not pick up any viruses, there's no SMTP engine on the
system, and spybot didn't pick up any spyware.



I was beginning to think that spamcop was wrong and to prove my point, I
changed the name of system1 to system24. Now I'm getting EMAIL from spamcop
telling me that system24 is sending SPAM via SMTP.



I've got a sniffer on the system now, but I'm coming up dry.



Has anyone seen anything like this before?

 

[David W. Hodgins]

I was beginning to think that spamcop was wrong and to prove my point, I
changed the name of system1 to system24. Now I'm getting EMAIL from spamcop
telling me that system24 is sending SPAM via SMTP.
I've got a sniffer on the system now, but I'm coming up dry.

The folks at http://www.spywareinfo.com/forums/index.php?act=ST&f=24&t=5187
should be able to help find the trojan.

Just in case you arn't aware, the ip you're posting from...
NNTP-Posting-Host: 65.119.219.92
is listed in http://www.five-ten-sg.com/blackhole.php?ip=65.119.219.92&Search=Search
and http://www.moensted.dk/spam/no-more-funn/?addr=65.119.219.92&Submit=Submit
although it appears to be listed due to qwest helping the pill pushers, rather
then due to spam from that ip, itself.

Regards, Dave Hodgins