[ale] tracking down a spammer on our box

Ryan Williams ryan at jimmyether.com
Sat Apr 2 12:43:06 EST 2005


Yu, Jerry wrote:
> 1) if it is done thru PHP/apache, wouldn't the sender be guessed as user
> 'apache' or 'nobody' instead of 'anonymous' on the web server, the owner
> of the apache process?

We are using qmail, and qmail-inject sets the From field to anonymous if 
USER and LOGNAME aren't set. There are a few valid cases where anonymous 
is used to send me cron messages for this reason.

> 2) I'd double check the 'open relay' thiny, by sending such spam email
> manually, by directly talking to the SMTP server in question, from
> outside and from inside your network, if possible.

We've confirmed now that we are not an open relay by doing just this.

I'm 99% sure this is coming from a php script on one of our clients 
accounts, but damn if I can find a match. I've been comparing times in 
the spam headers with the apache access_logs and nothing likely is 
coming up. I'm thinking since I can see the qmail-remote processes in 
ps-aux that I can look for the process ID of the script, then goto the 
/proc directory and look at the environment file and see what directory 
the script is being called from. I'm a little new to everything in the 
/proc dir though, so I'm not seeing the environment file anywhere.

Ryan



More information about the Ale mailing list