Please disregard my presumptuous conclusion...it turns out that this was a
client's formmail.pl that was exploited, not sqwebmail.
Sorry all!
On Wed, 14 Mar 2001, Mark Evans wrote:
> >
> > It seems that somebody used one of my sqwebmail servers to spam. Since
> > they deleted the From: address it was replaced by [EMAIL PROTECTED]
>
> You could enable nochangingfrom
> >
> > After checking the maillog, apache access_log and cgi.log, I still can't
> > find any indication of an IP or userid.
>
> The sendit.sh has access to all the CGI environment variables.
>
> You could try something like
> (echo X-Ident: $REMOTE_IDENT@$REMOTE_HOST $HTTP_X_FORWARDED_FOR;cat) \
> |/var/qmail/bin/qmail-inject -f "$AUTHADDR@<foo.bar>"
>
> >
> > Is there a way to track this down...or at least make sqwebmail log one or
> > both pieces of info?
>
> The IP address definitly should be in your apache log.
>
> Try a grep for "GET /cgi-bin/sqwebmail" or "POST /cgi-bin/sqwebmail"
> of your access log(s).
>
> --
> Mark Evans
> St. Peter's CofE High School
> Phone: +44 1392 204764 X109
> Fax: +44 1392 204763
>
James Smallacombe PlantageNet, Inc. CEO and Janitor
[EMAIL PROTECTED] http://3.am
=========================================================================
