CDOSYS spam attack

Hi,

I am not sure if this is the right place to ask for help, but here it is anyway.

We am using Windows 2003 Web ed. with IIS 6.0. We have a lot of websites hosted on our servers, and some of them may be using CDOSYS in their scripts to handle mails. We are not the website admins or the programmers, only hosting the sites.

Recently, we recieved report that our server has been used to spam, and the mail headers show this:


with our server's IP as the sender.

There are thousands (if not ten of thousands) of files in the server, so looking it up manually one by one isn't a very promising way of tracking down the spammer.

Is there anyway to track down which scripts (if it's done by script) that is sending the spam? I've tried to look at IIS's logs, Event Viewers, do search on web logs, but found nothing at all. IIS's SMTP logs only shows that there are some SMTP activity to send out e-mails by the spammer, but it doesn't lead to how it was done, or which scripts it was using.

Also, is there any logs or configuration settings specifically for CDOSYS? Like, so I can block certain headers/body/e-mail address in from/to of the mail?

Any helps/hints on how I can track the spammer would be greatly appreciated. Thank you in advance!

Regards

I don't know an easy way, you may be able to pull something out of the IIS logs, or maybe you need some kind of network monitor. Also I think there is some logging you can turn on in the SMTP server.

I've checked the IIS logs (from weblogs) and also Event Viewer, but they gave nothing at all.

I also have enabled SMTP logging in IIS, it does show that someone opening SMTP (locally) to send those spam, but it didn't give anymore than that. So, I just know that someone did it, but has no clue how (whose scripts, where, etc).

Addit: What kind of network monitoring you can suggest? I've never used this kind of stuff, but I am willing to do anything to stop those spam.