[chuug] server relaying spam

[Josh Malone]

On 6/7/07, phoebe <phoebe at somecows.com> wrote:
> hello,
> i have recently discovered that my mail server is being used to relay
> massive amounts of spam. there are dozens and dozens of outgoing spam
> messages piled up in my mail queue. i need to get this problem fixed,
> obviously, but have no idea what to do or where to get help. does
> anyone have any advice on where a good place to start is, or how i
> might go about figuring out where the spam is originating from? ive
> been told its most likely coming from a hacked php form in one of the
> accounts on the server, but i have no idea if thats true or not or
> what other causes there might be besides vulnerable php forms. thanks
> for any advice.
> phoebe
> --

Well, the first thing to do is stop your sendmail process.  Then, move
the existing mailq aside and make a new directory for mailq. This will
preserve the spam in your outgoing queue for detective work later.

Start by checking your sendmail configuration (if you have another
MTA, consult it's manual) and make sure you don't have any RELAY lines
in your 'access' file/db or any relaying enabled in the sendmail.mc.

If it is a PHP application things are going to be a bit tricky.  Start
grepping for 'mail' calls in your PHP files (find -name \*php\* |
xargs grep -i mail) and figure out the likely culprits.  Check your
apache logs for lots of POSTs - correlate that with your sendmail
logs, too.

Good luck,

-Josh

-- 

Joshua  Malone                     www.ubergeeks.com/~jmalone
Power Users Use The Power To Serve     www.freebsd.org