Catching a spammer...how can I find them?

Some MAJOR spam attacks started today off my server. When I do ps -ef | grep exim, I see this:

root 863 1 0 17:48 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 2 1F5rKv-00050f-EL
root 869 1 0 17:48 ? 00:00:00 /usr/sbin/exim -MCS -MCP -MCQ 32374 4 -MC remote_smtp batch3.csd.uwm.edu 129.89.169.226 2 1F5nR0-0002YG-DV
root 963 1 0 17:49 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 4 1F5r68-0004Bu-Kl
mail 1059 963 0 17:49 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 4 1F5r68-0004Bu-Kl
mail 1274 32375 0 17:51 ? 00:00:00 /usr/sbin/exim -q
mail 1314 869 0 17:51 ? 00:00:00 /usr/sbin/exim -MCS -MCP -MCQ 32374 4 -MC remote_smtp batch3.csd.uwm.edu 129.89.169.226 2 1F5nR0-0002YG-DV
mail 1396 863 0 17:52 ? 00:00:00 /usr/sbin/exim -MCS -MCQ 32374 4 -MC remote_smtp mx.mail.rcn.net 207.172.4.98 2 1F5rKv-00050f-EL

I've already run chkrootkit and clamscan (after freshclam), and I can find nothing. How can I track these down/stop them? Stopping exim stops all email from working, so it's not an option...they've already used about 100G bandwidth today.

 

 

 

 

Top