[ale] tracking down a spammer on our box

James P. Kinney III jkinney at localnetsolutions.com
Thu Mar 31 23:58:32 EST 2005


Uugh! I am not a PHP person but I suspect that the logging can be turned
up in apache to help with more data on linking a web process to an email
generation.

You should be able to set qmail to not allow a user named "anonymous" to
send mail.

On Thu, 2005-03-31 at 23:39 -0500, Ryan Williams wrote:
> We are running RedHat ES and have someone using our server to send a 
> small but steady stream of spam... between 4 and 5 messages per minute, 
> so they are smart enough to keep the activity fairly low profile. We've 
> already confirmed with ORDB that we are not an open relay. The messages 
> are showing up in ps -aux as:
> 
> qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote 
> remotedomain.com anonymous at server1.ourserver.com randomuser at remotedomain.com
> 
> and our maillogs show messages being delivered which are certainly spam:
> 
> Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery 
> 193807: msg 9536773 to remote randomuser at remotedomain.com
> 
> Since the messages are being sent by "anonymous", we are pretty sure 
> this is a vulnerable PHP script somewhere on the server that is being 
> used, but we are having the hardest time tracking down which one(s) is 
> the culprit. Is there any way to track down which domain or script was 
> used to send these messages?
> 
> Thanks!
> 
> Ryan
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list