[nSLUG] apache used to generate spam

Rich budman85 at eastlink.ca
Thu Apr 16 15:03:20 ADT 2009



Rich wrote:
> D G Teed wrote:
>   
>> The spammer is unable to do anything while our postfix is down.
>> At the end of the work day, he sent four test messages to himself
>> to see if it was ready to roll again, so he seems to be aware of
>> our business hours and doesn't want to try running it while
>> we might be at work.  As postfix was down, they appeared in
>> the maildrop queue but they were going nowhere.
>>
>> Does anyone have some hints that would aid in tracing
>> what application is sending the mail?  Possible conf
>> and logging settings for php/apache?
>>
>>     
> Only when postfix is running...
>
> Have you tried taking snapshots of the processes.
>
> Check home dirs to see if there are any postfix configs or .forward files.
> Trying to find the text may be hard, especially if its compiled into bin 
> format.
>
> Any unusually listeners under netstat
> Any cronjobs under user ids.
>
> If you know it occurs after hours,
> maybe setup the postfix to die at a certain time for maybe an hour.
> Watch ps and netstat to see if anything pops up when the service goes 
> online.
>
> setup a loop to capture the ps list and save it using a timestamp.
> compress it to if you might see a space issue.
> Does it occur during certain hours or all night long.
>
> Look for any at jobs as well.
> Sounds like it might be a job that keeps calling itself.
>
>
> The 4 emails that you noticed, do they contain a payload of any kind.
> Check the full header of the email, there may be something embedded in 
> the headings.
> Postfix may see this as a broken X Mail path, but the script may think 
> otherwise.
> Were these mails routed to any trash or garbage collection?
>
>
>   

Check for any html pages that may be using HTTP-REFRESH meta tags.
That may be using that as the poller.




Rich


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090416/b7e4ac38/attachment.html>


More information about the nSLUG mailing list