[nSLUG] apache used to generate spam

D G Teed donald.teed at gmail.com
Thu Apr 16 12:27:41 ADT 2009

On Thu, Apr 16, 2009 at 11:03 AM, George N. White III <gnwiii at gmail.com>wrote:

> Don't forget to keep detailed records of anything that might
> attract attention from law enforcement.  If the police come
> knocking you want to have very good answers so they aren't
> tempted to lock up your machines as "evidence".

I've never seen the threat of that.  One time the RCMP asked
about a compromised Windows PC (which reached their top 100),
but they seemed more interested in just stopping it from
spreading more problems.

Anytime I have something interesting, I do at least tar it up
in case someone from law enforcement is interested.

Do you have mechanisms (revision control) to track changes
> to the individual sites?   Search for files that were
> changed around the time the spam started.

No, most sites are updated over plain samba shares.
A CMS is in the works.  Starting pilot soon.

One of the arguments in favor of virtual machines is that
> you can put author on a separate VM, so you narrow down
> the search.   When each author knows they can be made
> "responsible" for screwups on their site they tend to be
> more diligent.

Boy, it would would be nice to have some machines newer than
6 years old for stuff like this.

Do you run clamav or the like?

On outbound we scan only with clamav, not full spam
assassin treatment.

Brute force searches for particular strings used in the spam
> might be useful.

That might not work if the text is coming from the form, but
if it is hard coded in the script - a real possibility given how
web mail style spam uses the signature - then this could be useful.

Thanks for the response.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090416/2afc2b44/attachment.html>

More information about the nSLUG mailing list