[nSLUG] apache used to generate spam

Rich budman85 at eastlink.ca
Thu Apr 16 14:58:16 ADT 2009



D G Teed wrote:
> The spammer is unable to do anything while our postfix is down.
> At the end of the work day, he sent four test messages to himself
> to see if it was ready to roll again, so he seems to be aware of
> our business hours and doesn't want to try running it while
> we might be at work.  As postfix was down, they appeared in
> the maildrop queue but they were going nowhere.
>
> Does anyone have some hints that would aid in tracing
> what application is sending the mail?  Possible conf
> and logging settings for php/apache?
>
Only when postfix is running...

Have you tried taking snapshots of the processes.

Check home dirs to see if there are any postfix configs or .forward files.
Trying to find the text may be hard, especially if its compiled into bin 
format.

Any unusually listeners under netstat
Any cronjobs under user ids.

If you know it occurs after hours,
maybe setup the postfix to die at a certain time for maybe an hour.
Watch ps and netstat to see if anything pops up when the service goes 
online.

setup a loop to capture the ps list and save it using a timestamp.
compress it to if you might see a space issue.
Does it occur during certain hours or all night long.

Look for any at jobs as well.
Sounds like it might be a job that keeps calling itself.


The 4 emails that you noticed, do they contain a payload of any kind.
Check the full header of the email, there may be something embedded in 
the headings.
Postfix may see this as a broken X Mail path, but the script may think 
otherwise.
Were these mails routed to any trash or garbage collection?






Rich



More information about the nSLUG mailing list