[ale] tracking down a spammer on our box

Yu, Jerry Jerry.Yu at Voicecom.com
Fri Apr 1 08:17:40 EST 2005 

1) if it is done thru PHP/apache, wouldn't the sender be guessed as user
'apache' or 'nobody' instead of 'anonymous' on the web server, the owner
of the apache process?  
2) I'd double check the 'open relay' thiny, by sending such spam email
manually, by directly talking to the SMTP server in question, from
outside and from inside your network, if possible.

# -----Original Message-----
# From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On 
# Behalf Of James P. Kinney III
# Sent: Thursday, March 31, 2005 11:51 PM
# To: Atlanta Linux Enthusiasts
# Subject: Re: [ale] tracking down a spammer on our box
# 
# Uugh! I am not a PHP person but I suspect that the logging 
# can be turned up in apache to help with more data on linking 
# a web process to an email generation.
# 
# You should be able to set qmail to not allow a user named 
# "anonymous" to send mail.
# 
# On Thu, 2005-03-31 at 23:39 -0500, Ryan Williams wrote:
# > We are running RedHat ES and have someone using our server 
# to send a 
# > small but steady stream of spam... between 4 and 5 messages per 
# > minute, so they are smart enough to keep the activity fairly low 
# > profile. We've already confirmed with ORDB that we are not an open 
# > relay. The messages are showing up in ps -aux as:
# > 
# > qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote 
# > remotedomain.com anonymous at server1.ourserver.com 
# > randomuser at remotedomain.com
# > 
# > and our maillogs show messages being delivered which are 
# certainly spam:
# > 
# > Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery
# > 193807: msg 9536773 to remote randomuser at remotedomain.com
# > 
# > Since the messages are being sent by "anonymous", we are 
# pretty sure 
# > this is a vulnerable PHP script somewhere on the server 
# that is being 
# > used, but we are having the hardest time tracking down 
# which one(s) is 
# > the culprit. Is there any way to track down which domain or 
# script was 
# > used to send these messages?
# > 
# > Thanks!
# > 
# > Ryan
# > _______________________________________________
# > Ale mailing list
# > Ale at ale.org
# > http://www.ale.org/mailman/listinfo/ale
# -- 
# James P. Kinney III          \Changing the mobile computing world/
# CEO & Director of Engineering \          one Linux user         /
# Local Net Solutions,LLC        \           at a time.          /
# 770-493-8244                    \.___________________________./
# http://www.localnetsolutions.com
# 
# GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) 
# <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC 
# A3FE BA4D 0659 6190 ADC3 829C 6CA7
# 

This email and any attached files herein contain information that is intended only for the use of the individual or entity to whom it is addressed and may contain information that is legally privileged, confidential or otherwise exempt from disclosure under applicable laws. If the reader of this message is not the recipient, any disclosure, dissemination, distribution, copying or other use or retention of this communication or its substance is prohibited.

More information about the Ale mailing list