spammer problems

[gizmo_24]

Hi,

I've got someone on my system doing massive spamming to aol ..
The qmail logs doesn't show any useful information .. it all looks like the following:

Feb 5 09:07:36 ws01 qmail: 1139126856.416743 status: local 0/25 remote 24/25
Feb 5 09:07:36 ws01 qmail: 1139126856.416795 starting delivery 12457: msg 11647100 to remote [email protected]

The spammer always uses admin@<mydomain> and anonymous@<mydomain> to send the spam:

qmail-remote aol.com admin@<mydomain> [email protected]

Does anyone know how to solve this???

 

[smarag]

Have also I the same problem.

 

[geeza@]

open one of the emails and look at the header of the email. Find the sender ip in angular brackets [x.x.x.x] and add it to the firewall to block it.

 

[smarag]

I do not see in certain ip all they say [email protected]

 

[geeza@]

You need to find one of the spam emails in the email queue. Try using qmail-read to see the messages in the queue and their numbers.

Then use find to find the location of the message usings its number.

Lastly less <message no> to see the full message + email header (with source ip)

 

[smarag]

it does not in only say ip the e-mails it has.

 

[jwdick]

Download qmqtool which will allow you to read the headers and the body of the emails. you can download it here:

Homepage:
http://jeremy.kister.net/code/qmqtool/
Tar/GZ:
http://jeremy.kister.net/code/qmqtool/qmqtool-current.tgz

 

[gizmo_24]

Thx for your help ..

What I ask myself is, how these guys are using my server to mail ..

My guess is that they use php scripts or similar, does anyone have an idea how to find these?

 

[jwdick]

I got this from another thread here, sorry, I didn't record the thread number, just the solution to tracking php script email:

Actually this is fairly easy to sort.

You will need to do it for all your domains (i beleive someone posted a script at one point)

But in vhost.conf add this:

<Directory /usr/local/psa/home/vhosts/DOMAIN/httpdocs>
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fXXXX"
</Directory>

Change the path if you are not on FreeBSD.

the XXXX is a unique code - use the domain if you wish thats up to you - but as most spamming is not your own customer i think its best to add this as some random code that means nothing to anyone but yourself

Once that has been done each mail sent by php will have a unique per domain code in the Return-Path: using a tool such as qmHandle to view the mailqueue you can see this return-path and consequently go straight to the hosting account and disable the relevant script

Hope this helps you.