[ale] tracking down a spammer on our box
Ryan Williams
ryan at jimmyether.com
Sat Apr 2 12:43:06 EST 2005
Yu, Jerry wrote:
> 1) if it is done thru PHP/apache, wouldn't the sender be guessed as user
> 'apache' or 'nobody' instead of 'anonymous' on the web server, the owner
> of the apache process?
We are using qmail, and qmail-inject sets the From field to anonymous if
USER and LOGNAME aren't set. There are a few valid cases where anonymous
is used to send me cron messages for this reason.
> 2) I'd double check the 'open relay' thiny, by sending such spam email
> manually, by directly talking to the SMTP server in question, from
> outside and from inside your network, if possible.
We've confirmed now that we are not an open relay by doing just this.
I'm 99% sure this is coming from a php script on one of our clients
accounts, but damn if I can find a match. I've been comparing times in
the spam headers with the apache access_logs and nothing likely is
coming up. I'm thinking since I can see the qmail-remote processes in
ps-aux that I can look for the process ID of the script, then goto the
/proc directory and look at the environment file and see what directory
the script is being called from. I'm a little new to everything in the
/proc dir though, so I'm not seeing the environment file anywhere.
Ryan
More information about the Ale
mailing list