[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Tracking down a spammer - advice?
I recently found out that a spammer has been sending massive amounts of e-mail from one of my servers. I am running qmail on debian sarge. After looking at my log files, I am seeing things like "pid 22432 from 188.8.131.52." None of these look like the spammer though, what I see looks like messages that were bounced from the spam.
I am trying to figure out how I can trace where this spam originated from so I can plug the whole. And, supposing I do find something in the log files. I need to determine if it was a remote SMTP connection, and if it is, it probably means that one of my users SMTP AUTH e-mail password has been bruted. I can't tell that from the logs. I need to find out how to see who they were logged in as (over smtp) when they sent the mail. Secondly, if it was a local
process, like a php script. I need to know how to trace back to which one it was.
I am at a loss, if anyone has any experience with this, some advice would be appreciated. It doesn't look like a root, I disabled all local accounts, and all e-mail accounts for the time being, but I'd like to get to the bottom of this. Thanks.
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug