Someone sending spam through my server
I was just notified by my ISP that someone is sending SPAM through my server. They said it might be the formmail exploit.
I deleted the formmail.pl and formmail.cgi files from the server. The SPAM is still coming through.
I really don't understand what could be happening. I did a search here and found some other threads about this subject but I couldn't find anything relavent.
Thanks for the help.
More detailed info would help like extracts from your log files and spam email headers etc. As much detail as you can so someone might know what your issues are and offer their friendly and free help
Hi there,Originally Posted by Izzee
More detailed info would help like extracts from your log files and spam email headers etc. As much detail as you can so someone might know what your issues are and offer their friendly and free help
Thanks for the quick reply. Here is an example of the spam header. A few of the e-mail addresses have been masked. My server is dbstalk.com:
Return-path: <tradingalert@worldnet.att.net>
Received: from ms-mta-04 (ms-mta-04-smtp.texas.rr.com [10.93.38.42])
by ms-mss-03.texas.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005))
with ESMTP id <0ISR00FTKDV23U@ms-mss-03.texas.rr.com> for me@me.com;
Sat, 07 Jan 2006 23:28:15 -0600 (CST)
Received: from clmboh-mx-03.mgw.rr.com (clmboh-mx-03.mgw.rr.com [65.24.7.12])
by ms-mta-04.texas.rr.com
(iPlanet Messaging Server 5.2 HotFix 2.04 (built Feb 8 2005))
with ESMTP id <0ISR00451DV21H@ms-mta-04.texas.rr.com> for me@me.com
(ORCPT me@me.com); Sat, 07 Jan 2006 23:28:15 -0600 (CST)
Received: from www2.ultimatepositiveness.com (HELO host.dbstalk.com)
([67.19.74.170]) by clmboh-mx-03.mgw.rr.com with ESMTP; Sun,
08 Jan 2006 00:28:15 -0500
Received: from [61.10.79.73] (helo=worldnet.att.net)
by host.dbstalk.com with smtp (Exim 4.52)
id 1EvT69-00068s-OF for ****@dbstalk.com; Sat,
07 Jan 2006 23:28:10 -0600
Date: Sat, 07 Jan 2006 21:59:50 -0800
From: Young <tradingalert@worldnet.att.net>
Subject: Promotion Alert- on the move
To: ****@dbstalk.com
Message-id: <085AE43D.0A01575@worldnet.att.net>
MIME-version: 1.0
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 8BIT
X-Accept-Language: en-us
User-Agent: Mozilla 4.73 [en]C-SYMPA (Win98; U)
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.dbstalk.com
X-AntiAbuse: Original Domain - dbstalk.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - worldnet.att.net
X-Source:
X-Source-Args:
X-Source-Dir:
Original-recipient: rfc822;me@me.com
To try and find who is sending check your /var/log/exim_mainlog. It should have some info in there that might match up to the header. Also you can watch this log file in real time as mail comes in and goes out. Again so you can try and catch who it is. This command in shell will do this for you.
tail -f /var/log/exim_mainlog
If you had phpSuexec compiled into Apache and mod-Security installed with a good set of rules you might be able to stop most of this hijacking form occurring.
The forum has many post about this and it really is a matter of using the search function and messing with the key words until something pops up that helps. Most questions and solutions have already beed found many times over. There is lots to see and a detective instinct might help
LinkBack URL
About LinkBacks
Reply With Quote