Thread: Isolating Spam

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Posts
    1
    Rep Power
    0

    Isolating Spam


    We have a CentOS server, running Sendmail and ISPConfig as the panel. We recently noticed a huge increase in traffic coming from a phoney yahoo account. The logs show hundreds of emails being sent in a short time.

    We are trying to isolate the script, but we have multiple sites running and don't know where to look first.

    Ideas?
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    Minneapolis, MN
    Posts
    356
    Rep Power
    12
    Code:
    grep 'yahoo' /var/log/maillog
    badger badger badger badger
    badger badger badger badger
    MUSHROOM MUSHROOM
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2009
    Posts
    34
    Rep Power
    5
    You will want to track one of the emails from start to finish to determine how it was sent.

    I am do not know about ISPconfig panelm but on many systems if it is a web script or form being exploited to send email, the sender's ID will be that of the apache user on the server (for PHP apps) or the site's file owners for cgi-bin apps.

    If an user account was hacked, you can often look for higher number of logins or SMTP AUTH connections from the same user by analyzing the log files.

IMN logo majestic logo threadwatch logo seochat tools logo