Hello,
I have a big problem. Some customer probably got installed a PHP-script
that allows to send-out mails with no trace to the original domain it
belongs to (we had this before, were pollvote.php was used to install
some kind of web-shell - but it was easily detectable which domain it was).
The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to
anything useful.
I'm currently grep'ing the whole content for some of the email-addresses
used, but I'm pessimistic - it may be that the spammer loads even that
list from remote - and it takes a lot of time to grep 400 GB.
What options do I have?
Can Snort detect this?
(The webserver uses qmail as MTA)
cheers,
Rainer
