Grant Peel wrote: > I am thinking a script on one of my servers has a security hole in it. A few > days ago, the server started sending out huge amounts of spam. I am yet to > find the culprit.
In such cases standard precautions apply, I would say. Since it is possible your server has been broken into. Check for any unknown processes running, do an ls -al /tmp/ /var/tmp and /dev/shm and see if you find any oddball files, such as /tmp/... It's very common for a compromised system to have an irc daemon running to control bots/botnets and to abuse the MTA to send out spam. Google is your friend at finding out what to do when your server might be broken into. > In the mean time, I am seeing thousands of mailq entries like: > > 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= [EMAIL PROTECTED] U=www P=local > S=2625 T="God Has Chosen You" from <[EMAIL PROTECTED]> for > [EMAIL PROTECTED] If you want to obfuscate you should use example.com/.net/.org instead. > I am thinking that I would like to temporarily disble apache's sending of > email (from FormMail scripts), until I can track down the offending script. > > Is there a way I can do it in Exim's configure? I am sure there is, but that way you wouldn't find out the cause, which I hope is "just" the abuse of a script or such originating from your webserver. Why not stop apache and see if that stops the spam? Then go from there. Also remove all email from the queue which can clearly be idenmtified to be spam. http://bradthemad.org/tech/notes/exim_cheatsheet.php may be helpful. T="Gawd Has Chosen You" looks like an easy indicator. ;-) Greetings, Jeroen -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
