The headers are below. I noticed: qmail 3443 invoked by uid 65534. It seems like there is a hijacked web form/php script. Now how to track down something like that with about 15 different websites on the server and possibly thousands of php scripts.
> > Return-path: <anonymous@oak.webhost999.com>
> > Envelope-to: x
> > Delivery-date: Sat, 11 Oct 2008 14:36:16 -0400
> > Received: from bosimpinc02.eigbox.net
([10.20.13.2])
> > by
bosmailscan17.eigbox.net with esmtp (Exim)
> > id
1KojK3-0005w9-VY
> > for x;
Sat, 11 Oct 2008 14:36:15 -0400
> > Received: from oak.webhost999.com
([72.36.252.4])
> > by
bosimpinc02.eigbox.net with NO UCE
> > id
RWcF1a04906TBT40AWcFnD; Sat, 11 Oct 2008 14:36:16 -0400
> > X-EN-OrigIP: 72.36.252.4
> > X-EN-IMPSID: RWcF1a04906TBT40AWcFnD
> > Received: (qmail 3443 invoked by uid 65534); 11
Oct 2008 10:54:14
> > -0000
> > Date: 11 Oct 2008 10:54:14 -0000
> > Message-ID: <2008_________________mail@oak.webhost999.com>
> > To: x
> > From: The Egg Servicing Team
<accountsupdate@new.egg.com>
> > Reply-To:
> > MIME-Version: 1.0
> > Content-Type: text/html
> > Content-Transfer-Encoding: 8bit
> > Subject: [SPAM][IPMS] Egg Secure Account Update
--- On Mon, 10/13/08, Douglas Muth <doug.muth@gmail.com> wrote:
From: Douglas Muth <doug.muth@gmail.com>
Subject: Re: [PLUG] Tracking down a spammer - advice?
To: marcz908@yahoo.com, "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Date: Monday, October 13, 2008, 7:17 PM
On Mon, Oct 13, 2008 at 7:14 PM, Marc Zucchelli <marcz908@yahoo.com>
wrote:
>
> I recently found out that a spammer has been sending massive amounts of
> e-mail from one of my servers. I am running qmail on debian sarge. After
> looking at my log files, I am seeing things like "pid 22432 from
> 123.123.123.123." None of these look like the spammer though, what I
see
> looks like messages that were bounced from the spam.
>
It would be
most helpful if you could send the headers from one of the
spams or bounces.
What you describe /almost/ sounds as though your domain was forged on
a spam and you're seeing bounces. But I'd need to see a sample
message before saying that for certain.
-- Doug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|