Thread: How do you tell who is sending mail when it's sent from nobody
View Single Post
  #3 (permalink)  
Old 07-09-2009, 07:14 PM
Spiral's Avatar
Spiral Spiral is offline
Registered User
  
Join Date: Jun 2005
Location: Area 51
Posts: 1,501
Spiral is on a distinguished road
Lightbulb
Quote:
Originally Posted by DWHS.net View Post
I have some spams sent from my server but the sender only says nobody. Anyone know how to track the email to the user who sent it?
It is not very easy to track and though you could add the items
acenetgeorge listed above, you are still limited as long as the
mail is being sent from script as the generic user "nobody".

You should already be running SuExec for Apache. If not, I would enable it!

This topic is also one one of the biggest reasons to convert your PHP from
norm Apache module (DSO) to SuPHP as all PHP scripts will then be
executed by the account owner instead of the generic user nobody and
if anyone tries to send any spam, it will show up in a heartbeat which
account sent the mail and what script and is much easier to track!

Using SuPHP for your PHP also gives you many other important advantages
in terms of added security that go beyond just email tracking so it is
definitely something you should strongly consider.

Meanwhile, if you set sending limits in "Tweak Settings" and either use
the "SMTP Tweak" or much better install Chirpy's CSF Firewall and setup
the SMTP_BLOCK portion in that script, that will also help control spam
from being sent from your server as well.

Right now, without the expanded logging trails or having SuExec or SuPHP
running or a good security solution, the only thing you can really do to
track the current mail already sent is to take a close look at the domain
logs in /usr/local/apache/domlogs, the main apache logs in /usr/local/apache/logs,
your maillog in /var/log, and the files in your /tmp folder to determine which site
is getting calls to execute a mail script around the same time the mails are
being injected into the mail server. Bulk sending a lot of messages often
shows up as repeated web calls to some script on an account on your server.

Now once you make the changes both acenetgeorge and I have suggested,
it will be much easier to track where the spam is coming from and if you do
all that I said, will also be much more difficult for anyone to send spam in
the first place but if they do, will definitely get caught.
Last edited by Spiral; 07-09-2009 at 07:19 PM.
Reply With Quote