emergency, need to disallow [email protected] sends

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Got kind of an emergency here. We've got some kind of mailer scripts broadcasting spam with [email protected] (of course Our "servername") in the reply-to/return-path.

How can I set up exim to where [email protected] sends are disallowed?
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
jols said:
Got kind of an emergency here. We've got some kind of mailer scripts broadcasting spam with [email protected] (of course Our "servername") in the reply-to/return-path.

How can I set up exim to where [email protected] sends are disallowed?
There are cases where spammers still can send out their SPAM despite the fact that Phpsuexec and suexec are enabled. Finding the culprit and either suspending or deleting them is the best solution. That's what we did with several clients of ours with the same problem.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I've also included log_selector = +all in the Exim config, but I'll be danged if I can find how this spam ise being sent through our server. In the past it has been the result of some php or pl or cgi emailer.

Does anyone have any tips on how to track this one down?
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
jols said:
I've also included log_selector = +all in the Exim config, but I'll be danged if I can find how this spam ise being sent through our server. In the past it has been the result of some php or pl or cgi emailer.
Still is. A spammer is using one of the scripts on your server to deliver their SPAM.

Does anyone have any tips on how to track this one down?
It could be more than just one.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Granted. But the question about how to track this down remains. Any tricks you could offer?
 

MattGetWeb

Well-Known Member
Aug 4, 2005
49
0
156
grep '"POST ' /usr/local/apache/domlogs/*

Look for something getting hit a lot. Most contactus/feedback forms will have a few hits a day. When it is getting hit every few minutes..