[ale] tracking down a spammer on our box

Christopher Fowler cfowler at outpostsentinel.com
Fri Apr 1 08:32:30 EST 2005


I agree.  I would double check it manually.  Here is a sample session
where I checked Earthlink's SMTP server
[cfowler at cfowler devel]$ telnet smtp.earthlink.net 25
Trying 207.217.121.208...
Connected to smtp.earthlink.net.
Escape character is '^]'.
220-pop-a065c10.pas.sa.earthlink.net ESMTP Exim 3.36 #10 Fri, 01 Apr
2005 05:23:15 -0800
220-NO UCE.  EarthLink does not authorize the use of its computers or
network
220 equipment to deliver, accept, transmit, or distribute unsolicited
e-mail.
helo opsup.com
250 pop-a065c10.pas.sa.earthlink.net Hello
66-23-198-138.clients.speedfactory.net [66.23.198.138]
mail from: <bgates at microsoft.com>
250 <bgates at microsoft.com> is syntactically correct
rcpt to: <ale at ale.org>
550-EarthLink does not recognize your computer (66.23.198.138) as
connecting from an EarthLink connection.  If this is in error, please
contact technical support.
550 relaying to <ale at ale.org> prohibited by administrator


On Fri, 2005-04-01 at 08:10, Yu, Jerry wrote:
> 1) if it is done thru PHP/apache, wouldn't the sender be guessed as user
> 'apache' or 'nobody' instead of 'anonymous' on the web server, the owner
> of the apache process?  
> 2) I'd double check the 'open relay' thiny, by sending such spam email
> manually, by directly talking to the SMTP server in question, from
> outside and from inside your network, if possible.
> 
> # -----Original Message-----
> # From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On 
> # Behalf Of James P. Kinney III
> # Sent: Thursday, March 31, 2005 11:51 PM
> # To: Atlanta Linux Enthusiasts
> # Subject: Re: [ale] tracking down a spammer on our box
> # 
> # Uugh! I am not a PHP person but I suspect that the logging 
> # can be turned up in apache to help with more data on linking 
> # a web process to an email generation.
> # 
> # You should be able to set qmail to not allow a user named 
> # "anonymous" to send mail.
> # 
> # On Thu, 2005-03-31 at 23:39 -0500, Ryan Williams wrote:
> # > We are running RedHat ES and have someone using our server 
> # to send a 
> # > small but steady stream of spam... between 4 and 5 messages per 
> # > minute, so they are smart enough to keep the activity fairly low 
> # > profile. We've already confirmed with ORDB that we are not an open 
> # > relay. The messages are showing up in ps -aux as:
> # > 
> # > qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote 
> # > remotedomain.com anonymous at server1.ourserver.com 
> # > randomuser at remotedomain.com
> # > 
> # > and our maillogs show messages being delivered which are 
> # certainly spam:
> # > 
> # > Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery
> # > 193807: msg 9536773 to remote randomuser at remotedomain.com
> # > 
> # > Since the messages are being sent by "anonymous", we are 
> # pretty sure 
> # > this is a vulnerable PHP script somewhere on the server 
> # that is being 
> # > used, but we are having the hardest time tracking down 
> # which one(s) is 
> # > the culprit. Is there any way to track down which domain or 
> # script was 
> # > used to send these messages?
> # > 
> # > Thanks!
> # > 
> # > Ryan
> # > _______________________________________________
> # > Ale mailing list
> # > Ale at ale.org
> # > http://www.ale.org/mailman/listinfo/ale
> # -- 
> # James P. Kinney III          \Changing the mobile computing world/
> # CEO & Director of Engineering \          one Linux user         /
> # Local Net Solutions,LLC        \           at a time.          /
> # 770-493-8244                    \.___________________________./
> # http://www.localnetsolutions.com
> # 
> # GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) 
> # <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC 
> # A3FE BA4D 0659 6190 ADC3 829C 6CA7
> # 
> 
> This email and any attached files herein contain information that is intended only for the use of the individual or entity to whom it is addressed and may contain information that is legally privileged, confidential or otherwise exempt from disclosure under applicable laws. If the reader of this message is not the recipient, any disclosure, dissemination, distribution, copying or other use or retention of this communication or its substance is prohibited.
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list