How can I track down a spammer?

D

djcronos

Verified User
Joined
Mar 21, 2006
Messages
75
Hi all,

One of our mail servers was recently added to SpamHaus. Luckily one of our customers caught it and submitted it for removal - which in fact it was removed.

However, I'd like to track down the spammer that is spamming on our servers, hurting business for other customers.

What tools/techniques do you folks use to track down the culprit? I've tried to look at DA to see if their bandwidth is over normal use, as well as tailing the /var/log/exim/mainlog.* and I see the emails where we get notified that we are on a spamlist, but I don't know how to find the culprit.

Thanks in advance.
 
Not if you put it on line 2.

instead put it in the log_selector section. Either replace the log selector I've got, or add whatever is missing, using the same format.

Other than that, to make it work, I have no idea if it's going to make it easy or hard to trace spammer email.

If it helps we can make it the default in the next version but it's going to result in a lot more lines in the logs.

Jeff
 
Hey thanks for the kind comments - I will look into both these and get back to you guys with the results.

Thanks guys as always!
 
Okay so I tried that patch and ran the test .php script and I dont see the php headers in the email.

Have you been able to get this to work?
 
Then what the heck am I doing wrong? :)

Here's what I did (I use PHP 4.4.7):

Code: 
cd /usr/local/directadmin/customapache
wget http://choon.net/opensource/php/php-4.4.7-mail-header.patch
tar xvzf php-4.4.7.tar.gz
patch -p0 < php-4.4.7-mail-header.patch
./build clean
./build php n
service httpd restart

I do that, run the test script, it e-mails me, but I don't see the X-PHP headers.

What am I doing wrong?
 
Last edited:
Code: 
cd /usr/local/directadmin/customapache
wget http://choon.net/opensource/php/php-4.4.7-mail-header.patch
tar xvzf php-4.4.7.tar.gz
patch -p0 < php-4.4.7-mail-header.patch
cd php-4.4.7
'./configure' '--with-apxs' '--with-curl' '--with-curl-dir=/usr/local/lib' '--with-gd' '--with-gd-dir=/usr/local' '--with-gettext' '--with-jpeg-dir=/usr/local/lib' '--with-kerberos' '--with-mcrypt' '--with-mhash' '--with-mysql=/usr' '--with-pear' '--with-png-dir=/usr/local/lib' '--with-xml' '--with-zlib' '--with-zlib-dir=/usr/local/lib' '--with-zip' '--with-openssl' '--enable-bcmath' '--enable-calendar' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-track-vars' '--enable-mbstring' '--enable-memory-limit'
make
make install
service httpd restart
 
I've added the mail header patch into both customapache and custombuild, enabled by default.

If you dont want it, edit the build script and change:
APPLY_MAIL_HEADER_PATCH=1
to
APPLY_MAIL_HEADER_PATCH=0
and compile normally, the patch wont' be applied.

John
 
So on current servers do I do
Code: 
./build clean
./build update
./build php n
 
Another question to someone who's using this now...

Will my default logging add enough information to the exim mainlog to catch this information, or should I add something to the logging in exim.conf?

Thanks.

Jeff
 
For clarification, this isn't applied when DA is updated. It's only applied when you update your build script and recompile php, as in floyds example. Also, all new servers will have this code by default.
I believe (unless I'm missing something) this only adds headers to the email and doesn't do any mainlog logging by default. You'd probably want to have exim actively searching for the header and logging it if local logging is desired (which it probably would be)

John
 
Yes, it only adds one line to the mail header, nothing more.
 
But is anything in that header caught by the logs? If not, then we may have to figure out what to add to the logging system to get it logged. Anyone know?

Thanks!

Jeff
 
No, it doesn't catch anything from the logs. When PHP script is being executed, it gets these "variables":
Code: 
zval **server, **remote_addr, **forwarded_for, **php_self, **server_name;
And puts them in this format (and places in the headers):
Code: 
X-PHP-Script: <server_name><php_self> for [<forwarded_for>,]<remote-addr>
 
Martynas, do you know what to add to the logging? Or should I take the time to figure it out?

Or anyone else, of course :) ...

Jeff
 
You must log in or register to reply here.
Back
Top