Spam Originating from VPS

[nathacof@]

I've got a VPS that's been reported by as an open relay by SpamCop.

I've attempted to follow the KB article here, http://kb.swsoft.com/en/1711, to determine if this customer is being subjected to a PHP mail() injection.

The only problem is that the files empty. So does that mean no one is sending mail with PHP or that it's not working?

How else would these messages be getting in? Is there anyway to track which account these malicious users are authenticating as?

 

[dynamicnet]

Greetings Nathan:

If you use http://www.dnsstuff.com and your mail server domain name, does dnsreport.com show your mail server as an open relay?

You can also use the following web-based tools to double check if your email server is an open relay:

http://www.mob.net/~ted/tools/relaytester.php3

http://www.abuse.net/relay.html

Thank you.

 

[nathacof@]

While I understand that an open relay is the most likely cause of these problems, I've run those tests and they come back fine.

Does anyone know how to increase the verbosity of the mail logs? Is there anyway to see a complete SMTP log?

The Plesk maillog shows deliveries and all but aside from that there isn't much useful info in there.

 

[atomicturtle]

Ive got a rough procedure here:

http://www.atomicorp.com/wiki/index.php/Spam

You've got 3 possible sources:

1) open relay (poplocking can do this)
2) exploitable web application
3) compromised user account (smtp_auth)

 

[nathacof@]

I knew the UID was hiding in there somewhere. Sometimes I'm just slow.

Thanks!