On 2008-07-30 at 18:22 -0700, Jeroen van Aart wrote: > Grant Peel wrote: > > I am thinking a script on one of my servers has a security hole in it. A > > few > > days ago, the server started sending out huge amounts of spam. I am yet to > > find the culprit.
Rate-limiting may help here, if you have a limit on "reasonable" outbound mail volume per day. > In such cases standard precautions apply, I would say. Since it is > possible your server has been broken into. Check for any unknown > processes running, do an ls -al /tmp/ /var/tmp and /dev/shm and see if > you find any oddball files, such as /tmp/... > > It's very common for a compromised system to have an irc daemon running > to control bots/botnets and to abuse the MTA to send out spam. Google is > your friend at finding out what to do when your server might be broken into. Having dealt with disabling user accounts at an ISP for this, I'll note that it's much *much* more common for spammers to simply be scanning for abusable scripts and abusing those, without actually attacking to be able to run arbitrary code on the web-servers. Formmail and friends are the main threat on the CGI side, whilst PHP stuff, well, whatever PHP pre-packaged applications are popular enough for someone interested to have gone reading through the code to find all the problems. PHPNuke was amazingly bad in this regard. With some applications, it gets rather hard to determine where the actual hole is, buried in some library routine used in some module embedded as a gadget in some page. We could block, sure, since we rewrote the envelope-sender to be [EMAIL PROTECTED] for each domain (mapping UID to domain based upon the account information) but having more information to hand to customers is useful. There's an Exim-users thread started by me on 2006-08-13, subject is "Feature req: env var logging" and three notes came back: * change sendmail_path to a wrapper script which logs (Stephen Gran) * use embedded Perl to grab environment variables (Dave Evans) * a patch to make environment variables visible in Exim conf (Eli) Of course, I left my then-employer shortly thereafter as it was sold, so never used any of these. :) I did appreciate the good feedback though. > > I am thinking that I would like to temporarily disble apache's sending of > > email (from FormMail scripts), until I can track down the offending script. > > > > Is there a way I can do it in Exim's configure? Use an acl_not_smtp ACL to deny the message based upon invoker ($caller_uid). If you have CGI scripts and a userid per website (eg, ISP hosting) then, if you haven't already done so, do something like set up a CDB file mapping UID to an email address which has to be the SMTP Envelope Sender, outbound; use that to set "return_path" on the SMTP transport. You can also consider setting things like X-Abuse: headers with your abuse contact address and the web-site responsible. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
