[nSLUG] apache used to generate spam

Hatem Nassrat hnassrat at gmail.com
Thu Apr 16 23:58:13 ADT 2009


Hi Donald,

On Thu, Apr 16, 2009 at 6:31 AM, D G Teed <donald.teed at gmail.com> wrote:
> This topic is a common one out there.  However I'm having
> some difficulty narrowing down the source of our problem.
> We have an apache server with about 100 subdomains on it,
> which has sent out spam via the local postfix.  Part of the
> problem is with the chaos of many web authors doing their
> own thing.  So in that regard it would compare with a hosting
> ISP scenario.


If it was me, I would  replace /usr/bin/sendmail with a shell script
or a little C program that took a snapshot of the running process, and
possibly a nestat for every email that is sent out, to start. (If I
remember correctly the mail would be sent via sendmail). I would also
pipe the input along with the cmd line options to the real sendmail
(/usr/bin/sendmail.bak), so that the server is not disrupted. This
will atleast give a little more info to work with.

I am not sure about the code, but I am pretty sure you would be able
to find the culprit with that little C program. Since the php app will
be talking to sendmail using a pipe, this pipe should have a file
descriptor, which you can pass to `lsof` to find the owner process.
There maybe an easier way to find the calling process, it needs some
research.

I am not sure if the above will be fruitfull, or if its fully correct,
but I do know who can catch me out on any mistakes in what I
mentioned. The only person I know who would be able to effeciently
find your culprit is Ian Campbell. Ian your insight would be quite
appreciated.

-- 
Hatem Nassrat



More information about the nSLUG mailing list