H=localhost (User) spammer

[CapriSkye]

Hello, I've been trying to track down a spammer, was wondering if anyone can give me some directions. The log is here,

2011-01-10 07:06:41 [16082] 1PdLwq-0004BO-Ep <= [email protected] H=localhost (User) [127.0.0.1]:37420 I=[127.0.0.1]:25 P=smtp S=226 from <[email protected]> for [email protected]

I'm unable to find any other information from the exim log. I know if I login to SSH and telnet to localhost and send emails that way, it would show the similar log, but I'm not seeing anyone logged in during that time. Any other places I should check?

 

[dalem]

run this command from ssh
netstat -cen | grep 127.0.0.1:25


watch & wait for their next spam run and it will give you the uid (you may have to wait a while)

 

[cPanelTristan]

Hello dalem,

That's a helpful command. Thanks for providing it, but rather than waiting, wouldn't it be easier to run it to write to a file?

netstat -cen | grep 127.0.0.1:25 > /root/spammer.txt &

You can test this out by connecting to localhost on the machine after running the above command to see the results:

telnet localhost 25

The best benefit is that it wouldn't then require waiting in SSH for them to do it again. The above netstat command will save to /root/spammer.txt file as a log of connections on localhost on port 25. Please note that you could always put the log in whatever location you prefer and call it whatever name you prefer.

Once you see the user spamming again, simply kill the netstat process:

ps aux | grep netstat
kill -9 netstatPID#

Then check who has the last logs in the file around that time. Personally, I always prefer to log things when possible.

 

[CapriSkye]

thank you all for the suggestions.