On Thursday 30 Mar 2006 22:33, saki wrote: > > Sounds like you have a web based email form or a > > compromised user or > > machine that is feeding the spam into your machine. > > > > I'd check the messages themselves to see where the > > headers said they > > came from. > > > > Rick > > Yes, Your doubt is right. This is output from > > -bash-2.05b# tail -f > /var/spool/qmailscan/qmail-queue.log
use grep to look through your web logs for return-path= recips= depending on how many users you have, try to find any php scripts containing 'mail'. If they also contain the above your're getting somewhere. Of course cgi-bin is also a possibility. Look for 'mailform' or formmail' etc hope you get lucky > > > " Fri, 31 Mar 2006 03:16:10 BDT:22486: ------ Process > 22486 finished. Total of 7.66887 secs > Fri, 31 Mar 2006 03:16:13 BDT:22492: w_c: elapsed time > from start 4.618193 secs > Fri, 31 Mar 2006 03:16:13 BDT:22492: > return-path='[EMAIL PROTECTED]', > recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] >.tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckt >[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckvictor@ >yahoo.com.tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] >.tw,[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],luckwi >[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] >.tw,[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:13 BDT:22492: > from='"§K¶O¡B§K¶O¡B§K¶O¡B§K¶O" > <[EMAIL PROTECTED]>', > subj='·Q¤F¸Ñ°Ó«~ªº¦æ¾PÁͶնܡH^^Åý±M®a§K¶O¬°±z¿Ô¸ß¡I^^navigable', > via SMTP from 192.168.0.1 > Fri, 31 Mar 2006 03:16:14 BDT:22492: clamdscan: > finished scan of dir > "/var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492" > in 1.038585 secs > Fri, 31 Mar 2006 03:16:14 BDT:22492: SA: don't scan as > RELAYCLIENT implies this was sent by a local user > Fri, 31 Mar 2006 03:16:14 BDT:22492: p_s: finished > scan in 0.003957 secs > Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: finished > scan of > "/var/spool/qmailscan/tmp/ns1.infobd.net114375336862022492"... > Fri, 31 Mar 2006 03:16:14 BDT:22492: ini_sc: elapsed > time from start 5.667414 secs > Fri, 31 Mar 2006 03:16:14 BDT:22492: ------ Process > 22492 finished. Total of 5.68355 secs > Fri, 31 Mar 2006 03:16:14 BDT:22487: w_c: elapsed time > from start 12.394417 secs > Fri, 31 Mar 2006 03:16:14 BDT:22487: > return-path='[EMAIL PROTECTED]', > recips='[EMAIL PROTECTED],[EMAIL PROTECTED],chatt >[EMAIL PROTECTED]' Fri, 31 Mar 2006 03:16:14 BDT:22487: > from='"¡®¤£¥Î§A¦hªá¿ú¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)http:\¤£¥Î§A¦hªá¿ú >¡A¥i¥H¬Ù¿ú¤S¥i¥HÁÈ¿ú(§Þ¥©¡B¤èªk°Ý§Ú)vv" <[EMAIL PROTECTED]>', > subj='¢ð¨C¤ë¦æ°Ê¹q¸Ü¶O¶W¹L1,000¤¸ªº¤H¡A½Ðª`·N!!!([EMAIL PROTECTED])¡¦¡¦', > via SMTP from 192.168.0.1 > Fri, 31 Mar 2006 03:16:15 BDT:22487: clamdscan: > finished scan of dir > "/var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487" > in 1.03333 secs > Fri, 31 Mar 2006 03:16:15 BDT:22487: SA: don't scan as > RELAYCLIENT implies this was sent by a local user > Fri, 31 Mar 2006 03:16:15 BDT:22487: p_s: finished > scan in 0.003948 secs > Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: finished > scan of > "/var/spool/qmailscan/tmp/ns1.infobd.net114375336262022487"... > Fri, 31 Mar 2006 03:16:15 BDT:22487: ini_sc: elapsed > time from start 13.438296 secs > Fri, 31 Mar 2006 03:16:16 BDT:22487: ------ Process > 22487 finished. Total of 13.460671 secs > Fri, 31 Mar 2006 03:16:17 BDT:22514: +++ starting > debugging for process 22514 by uid=89 > Fri, 31 Mar 2006 03:16:21 BDT:22516: +++ starting > debugging for process 22516 by uid=89 > Fri, 31 Mar 2006 03:16:23 BDT:22518: +++ starting > debugging for process 22518 by uid=89 > Fri, 31 Mar 2006 03:16:23 BDT:22520: +++ starting > debugging for process 22520 by uid=89" > > > And also output from: > > -bash-2.05b# tail -f /var/log/qmail/smtpd/current > @40000000442c4d421a03c464 tcpserver: end 24467 status > 256 > @40000000442c4d421a03d7ec tcpserver: status: 19/20 > @40000000442c4d421a03eb74 tcpserver: status: 20/20 > @40000000442c4d421a03fefc tcpserver: pid 24468 from > 192.168.0.1 > @40000000442c4d421a041284 tcpserver: ok 24468 > 0:202.174.137.19:25 :192.168.0.1::3393 > @40000000442c4d421a0429f4 tcpserver: end 24468 status > 256 > @40000000442c4d421a0458d4 tcpserver: status: 19/20 > @40000000442c4d421a046c5c tcpserver: status: 20/20 > @40000000442c4d421a047fe4 tcpserver: pid 24469 from > 192.168.0.1 > @40000000442c4d421a04936c tcpserver: ok 24469 > 0:202.174.137.19:25 :192.168.0.1::2435 > @40000000442c4d452cc0a464 tcpserver: end 23417 status > 256 > @40000000442c4d452cc0bfbc tcpserver: status: 19/20 > @40000000442c4d452cc0d344 tcpserver: status: 20/20 > @40000000442c4d452cc0e6cc tcpserver: pid 24484 from > 192.168.0.1 > @40000000442c4d452cc0fa54 tcpserver: ok 24484 > 0:202.174.137.19:25 :192.168.0.1::1671 > > > Above local ip is my local gateway IP. And moreover > there is no valid user name or valid local IP from my > subnet. > > So now how could I stop it? > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- ----------------- Bob Hutchinson Midwales dot com -----------------
