[nSLUG] apache used to generate spam

Rich budman85 at eastlink.ca
Fri Apr 17 10:16:06 ADT 2009

D G Teed wrote:
> On Thu, Apr 16, 2009 at 11:58 PM, Hatem Nassrat <hnassrat at gmail.com 
> <mailto:hnassrat at gmail.com>> wrote:
>     If it was me, I would  replace /usr/bin/sendmail with a shell script
>     or a little C program that took a snapshot of the running process, and
>     possibly a nestat for every email that is sent out, to start. (If I
>     remember correctly the mail would be sent via sendmail). I would also
>     pipe the input along with the cmd line options to the real sendmail
>     (/usr/bin/sendmail.bak), so that the server is not disrupted. This
>     will atleast give a little more info to work with.
>     I am not sure about the code, but I am pretty sure you would be able
>     to find the culprit with that little C program. Since the php app will
>     be talking to sendmail using a pipe, this pipe should have a file
>     descriptor, which you can pass to `lsof` to find the owner process.
>     There maybe an easier way to find the calling process, it needs some
>     research.
>     I am not sure if the above will be fruitfull, or if its fully correct,
>     but I do know who can catch me out on any mistakes in what I
>     mentioned. The only person I know who would be able to effeciently
>     find your culprit is Ian Campbell. Ian your insight would be quite
>     appreciated.
> Hi,
> That is an excellent suggestion.  This together with postfix changes
> is probably how we will proceed.
> Thank  you for this  idea.

Do you have any mail modules/libraries installed for Perl, or Python?
Search for smtp, mime, or mail in any of the perl or python lib dirs.
  perl -V will show the module paths

Many of those do not use sendmail at all.  I can send mail using several
different Perl modules where sendmail is disabled on the system.  All
I need to know is the smtp server name.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090417/432f6a08/attachment.html>

More information about the nSLUG mailing list