Marc Zucchelli on 13 Oct 2008 16:14:53 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Tracking down a spammer - advice?

Hi Everyone,

I recently found out that a spammer has been sending massive amounts of e-mail from one of my servers.  I am running qmail on debian sarge.  After looking at my log files, I am seeing things like "pid 22432 from"  None of these look like the spammer though, what I see looks like messages that were bounced from the spam.

I am trying to figure out how I can trace where this spam originated from so I can plug the whole.  And, supposing I do find something in the log files.  I need to determine if it was a remote SMTP connection, and if it is, it probably means that one of my users SMTP AUTH e-mail password has been bruted.  I can't tell that from the logs.  I need to find out how to see who they were logged in as (over smtp) when they sent the mail.  Secondly, if it was a local process, like a php script.  I need to know how to trace back to which one it was.

I am at a loss, if anyone has any experience with this, some advice would be appreciated.  It doesn't look like a root, I disabled all local accounts, and all e-mail accounts for the time being, but I'd like to get to the bottom of this.  Thanks.


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --