C
criticman
Guest
Alright, somehow a new injection attempt was successful by a spammer...but no clue how!
At first it looked like through Perl...and it may have been. I checked /tmp, nothing of interest, but I cleared it anyway.
I used
to delete the spam (950,000+) on Wednesday.
Well, things seemed to be going alright. I had killed the Perl process, did a readlink on it prior to killing it and it turned up nothing.
I had to rebuild the queue, finally got mail working, and all was good....
Then today I realize a cron report hadn't arrived, so I checked the queue and found 750,000+ messages. Same subject as the previous 950,000 ones.
So, I checked processes again. Nothing! I am deleting the spam again (with Qmail disabled).
So, let's look at this from two angles.
1) Let's assume it was an injection again. In case Perl was the culprit, I disabled it on all of my domains as I don't use it. Any other ways to lock it down?
2) Let's assume that it was not an injection and that someone managed to relay...how? I believe all settings are made to prevent this from happening. They were being sent as [email protected], but I do not even have the mail server enabled for mydomain.com as I am using GMail for Domains Beta for mydomain.com. How were they able to use this address to send it? Would that point to an injection and not a relay?
How can I set up a firewall to block IP ranges from countries my clients do not do busines in? I know the Plesk firewall module cannot do this, so does anyone have a link to a tutorial on how to block country IP ranges using ipchains/iptables?
Also, I would like to try to see if the source of the messages is still on the server. Since the subject had "enviou", I am running
from the base / dir. Will that work or is there a faster command?
At first it looked like through Perl...and it may have been. I checked /tmp, nothing of interest, but I cleared it anyway.
I used
Code:
qmHandle -Senviou
Well, things seemed to be going alright. I had killed the Perl process, did a readlink on it prior to killing it and it turned up nothing.
I had to rebuild the queue, finally got mail working, and all was good....
Then today I realize a cron report hadn't arrived, so I checked the queue and found 750,000+ messages. Same subject as the previous 950,000 ones.
So, I checked processes again. Nothing! I am deleting the spam again (with Qmail disabled).
So, let's look at this from two angles.
1) Let's assume it was an injection again. In case Perl was the culprit, I disabled it on all of my domains as I don't use it. Any other ways to lock it down?
2) Let's assume that it was not an injection and that someone managed to relay...how? I believe all settings are made to prevent this from happening. They were being sent as [email protected], but I do not even have the mail server enabled for mydomain.com as I am using GMail for Domains Beta for mydomain.com. How were they able to use this address to send it? Would that point to an injection and not a relay?
How can I set up a firewall to block IP ranges from countries my clients do not do busines in? I know the Plesk firewall module cannot do this, so does anyone have a link to a tutorial on how to block country IP ranges using ipchains/iptables?
Also, I would like to try to see if the source of the messages is still on the server. Since the subject had "enviou", I am running
Code:
grep -r enviou /*