[nSLUG] apache used to generate spam

George N. White III gnwiii at gmail.com
Thu Apr 16 13:29:44 ADT 2009

On Thu, Apr 16, 2009 at 12:27 PM, D G Teed <donald.teed at gmail.com> wrote:

> On Thu, Apr 16, 2009 at 11:03 AM, George N. White III <gnwiii at gmail.com>
> wrote:
>> Don't forget to keep detailed records of anything that might
>> attract attention from law enforcement.  If the police come
>> knocking you want to have very good answers so they aren't
>> tempted to lock up your machines as "evidence".
> I've never seen the threat of that.  One time the RCMP asked
> about a compromised Windows PC (which reached their top 100),
> but they seemed more interested in just stopping it from
> spreading more problems.

If the spammer is distributing p0rn the RCMP might take a
different attitude than for advertisements for elixirs that
make body parts larger or prevent the pants from bagging
at the knees.

> Anytime I have something interesting, I do at least tar it up
> in case someone from law enforcement is interested.
>> Do you have mechanisms (revision control) to track changes
>> to the individual sites?   Search for files that were
>> changed around the time the spam started.
> No, most sites are updated over plain samba shares.
> A CMS is in the works.  Starting pilot soon.
>> One of the arguments in favor of virtual machines is that
>> you can put author on a separate VM, so you narrow down
>> the search.   When each author knows they can be made
>> "responsible" for screwups on their site they tend to be
>> more diligent.
> Boy, it would would be nice to have some machines newer than
> 6 years old for stuff like this.

Yes -- people say "that old machine handles the workload just fine",
but the reality today is that human time is the limiting resource so
you have to ask how long it takes to do a reinstall or update that
ties up an administrator.

>> Do you run clamav or the like?
> On outbound we scan only with clamav, not full spam
> assassin treatment.
>> Brute force searches for particular strings used in the spam
>> might be useful.
> That might not work if the text is coming from the form, but
> if it is hard coded in the script - a real possibility given how
> web mail style spam uses the signature - then this could be useful.
> Thanks for the response.

Well, it is a break from trying to understand why isnan() fails to
detect NaN's in hdf5 files created on foreign platforms.

George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia

More information about the nSLUG mailing list