I got a report that my CentOS 5.4 is used for sending spam.
From sendmail maillog I can see that apache has been sending a lot of
email to suspicious addresses.
Probably one of the many Apache virtual hosts I have is used for sending spam. But how to find out which one?
Regards, Peter
Peter Peltonen wrote:
I got a report that my CentOS 5.4 is used for sending spam.
From sendmail maillog I can see that apache has been sending a lot of
email to suspicious addresses.
Probably one of the many Apache virtual hosts I have is used for sending spam. But how to find out which one?
the maillog should show where the messages are coming from
On Tue, Oct 27, 2009 at 10:05 AM, John R Pierce pierce@hogranch.com wrote:
Peter Peltonen wrote:
I got a report that my CentOS 5.4 is used for sending spam.
From sendmail maillog I can see that apache has been sending a lot of
email to suspicious addresses.
Probably one of the many Apache virtual hosts I have is used for sending spam. But how to find out which one?
the maillog should show where the messages are coming from
They just say that Apache is sending them, so I cannot pinpoint the virtual host.
But apparanelty I can force (override) the sender in the VirtualHost with this line:
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f emailcop@doimanname"
where you replace domainname with the one in the virtual host. This will then show up in the maillog.
Now I just have to wait and watch the maillog...
Best, Peter
Peter Peltonen wrote:
On Tue, Oct 27, 2009 at 10:05 AM, John R Pierce pierce@hogranch.com wrote:
Peter Peltonen wrote:
I got a report that my CentOS 5.4 is used for sending spam.
From sendmail maillog I can see that apache has been sending a lot of
email to suspicious addresses.
Probably one of the many Apache virtual hosts I have is used for sending spam. But how to find out which one?
the maillog should show where the messages are coming from
They just say that Apache is sending them, so I cannot pinpoint the virtual host.
But apparanelty I can force (override) the sender in the VirtualHost with this line:
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f emailcop@doimanname"
where you replace domainname with the one in the virtual host. This will then show up in the maillog.
Now I just have to wait and watch the maillog...
If the emails are a result of posting to a form you can probably match up the timestamps in the http and mail logs.
-- Les Mikesell lesmikesell@gmail.com
On Tue, Oct 27, 2009 at 6:50 AM, Peter Peltonen peter.peltonen@gmail.com wrote:
I got a report that my CentOS 5.4 is used for sending spam.
From sendmail maillog I can see that apache has been sending a lot of
email to suspicious addresses.
Probably one of the many Apache virtual hosts I have is used for sending spam. But how to find out which one?
Regards, Peter _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What you need is this: http://choon.net/php-mail-header.php
But this requires recompiling PHP..
Lucian @ lastdot.org wrote:
What you need is this: http://choon.net/php-mail-header.php
But this requires recompiling PHP..
you're assuming this is being done via PHP, it could as easily be coming from a bad perl CGI or another similar exploitable web service.
-
Alan McKay -
John R Pierce -
Les Mikesell -
Lucian @ lastdot.org -
Peter Peltonen