Spam, HELP!

M

mikenz

Verified User
Joined
Oct 1, 2005
Messages
5
Location
Auckland, New Zealand
Hi,
Over the last few days, I have been getting spamcop reports of my mailserver IP being the source of outgoing spam (mostly to *@aol.com).

I have verified that this is indeed the case, and that it is being locally sent by user 'mail' (uid 12).

Tens of thousands of e-mails have been sent out and now my IP is blacklisted at spamcop.net.

I am having terrible difficulty locating the cause and plugging the hole. I am quite certain that the problem has come from some kind of exploitable php script on a clients website, but cannot confirm this.

I can see in /var/log/exim/mainlog all the outgoing e-mail (appearing to be from [email protected]).

I have even replaced the /usr/sbin/sendmail and /usr/sbin/exim files with sh scripts which check if the executing uid is 12 (mail), and only if not, forward to the correct binary. This has had no effect.

I write this in hope that someone can help, i've ran out of ideas...

-Mike
 
There's a post somewhere on these forums, of a change you can make to exim so it'll let you know which specific script is sending email.

I think.

Jeff
 
now THAT is cool :) .. for my CentOS system, I had to change the perl path, otherwise it just silently fails.

also, note that the web page is stripping out his back-slashes for the new lines. it should look something like this:
Code: 
#!/usr/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 }
 else {

        print INFO "$date - $PWD - @info \n";

 }
 my $mailprog = '/usr/sbin/sendmail.hidden';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL);

You could use this command to check the usage for a peticular day
Code: 
awk -F" - " '/Nov 29/ { print $2 $3 }' /var/log/spam_log | sort | uniq -c | sort -r
 
Just another note, the script above will also break the ticket system. DirectAdmin support told me that the system is waiting for a proper response and for some reason the script does not give back what DirectAdmin wants so eventually it times out.

I would like to figure out a way to fix it. I tried a few things but I ran out of time. If anybody has any suggestions it would be greatly appreciated.
 
Edit your php.ini to solve the timeout issue when you are using exim as the mta.

in you php.ini - (mine was in /usr/local/lib/)
specify the parameters for sendmail like so :

sendmail_path= /usr/sbin/sendmail -t

(exim doesn't like the -i bit)

also modify the script above to call exim directly.

M
 
You must log in or register to reply here.
Back
Top