HI,
Here are the steps ..
1) Open/refresh C:\Program Files (x86)\hMailServer\Data
2) If the server is overloaded by spam, at least 90% of the files inside that folder will be spam emails. Open up 10 of them through EditPlus or similar software, if you see a large similarity between a lot of them, then thats your spammer.
At the top of one of the emails that you have identified as spam you will see the "From", check if the from domain is on the server. If it is then suspend. If it is not, you will find at the top of the same email the IP address of the computer/user connecting via SMTP. Copy it, then: 4) Go to: C:\Program Files (x86)\hMailServer\Logs
5) Open up the newest log file. If the size is so big that it crashes the text editor, rename the newest log file to have "archive" at the end of it. Restart hmailserver, refresh the folder C:\Program Files (x86)\hMailServer\Logs . You will then see a new log file, then start at step 1 again so you have fresh spam that is logged in the new log file that hmailserver is about to create.
6) CTRL+F (find) the IP address that was at the top of the spam email headers
7) Keep finding until you find lines that looks similar to this:
"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 VXNlcm5hbWU6"
"<spammers IP address>" "RECEIVED: dGVzdEB0ZXN0LmNvbQ=="
"<spammers IP address>" "SENT: 334 UGFzc3dvcmQ6"
They may not be back to back, other log records may be in between. The "SENT" following the "RECEIVED: AUTH LOGIN" is the username, the second SENT is the password. So you only care about the first "SENT". It is encrypted in base64, so copy it and paste it in:
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspxThat will get you the real username, take appropriate action.
More Advanced Details: Unfortunately, when hMailServer has a very large email queue, it will start putting the emails it needs to deliver into the queue instead of trying to deliver them first. This is often caused by someone spamming on the server. So, the first step is to identify the person spamming on the server. The method of identification depends on the size of the queue. In this example, Stem was not delivering emails, I logged on to the server, opened up hMailServer Administrator and clicked on Status -> Delivery Queue
Then, I clicked on Refresh, After about 5 minutes of waiting, hMailserver crashed. So, we know the queue is too long for this method.
Then, I went to C:\Program Files (x86)\hMailServer\Data and looked at the files in there. Outside of the directories, those are all the emails that are in the queue. I noticed that the majority were of size 2 KB. I opened up one of them and sure enough it was spam.
I looked at other ones that were 2 KB and they were spam as well. I organized the files and removed the 2 KB ones that came in immediately within the past 1-2 days.
Another way to do this is right click on the sorting tabs at the top and select author, you will be able to see the exact account that sends the e-mail then. If there are a large amount of mails in the queue, this will take a long time so it is best to remove some of the e-mails first
Once I removed those (Approximately 14k emails), I noticed that now we had a lot of 1 KB ones. I looked at those and noticed that they were all bouncebacks for the 2KB emails. Removed the recent ones as well.
Now, I could go to hMailServer Administrator again -> Status -> Delivery Queue and look at the emails. Most likely, there is still going to be some emails left by that spammer so now you can organize by sender and remove them from the queue. Quickly after, you are going to see the queue delivering all the emails that were stuck within it.
From:
http://www.hmailserver.com/documentation/latest/?page=ts_server_used_for_spam
