On Sep 27, 2005, at 9:52 AM, Clayton Weise wrote:
I know this is way off topic, but there are a lot of really smart people
on this list so I'm hoping to get some ideas here.  I've got a web
server that has some kind of formmail-esque script that is being
horribly abused but I can't find it.  The server (shut down qmail-send
on it for now) is spewing out messages by the hundreds, if not
thousands, and I can't seem to center down on which site has the
offending script. Again, it's pretty off topic but I'm just looking for
some help here... please.

Assuming you're running VirtualHosts with apache, here's what I've done in a similar situation.

If your directory structure works for this, you can look at all of the access logs for your virtual hosts:

ls -l */*/logs/access_log

Run it once, and dump to a file. Run it again a few minutes later and dump to a file. Do a diff -u on the file and you'll only see sites getting hits. Look for the ones with fast-growing log files, and then manually examine those logs. Note that you might need to look at the error_log as well, as there might be a script that generates an error yet still sends the email.

If your directory structure isn't organized well enough to find all the access_log files, you'll have to write a script that goes through your apache configuration files looking for the TransferLog (or ErrorLog) setting, and check the size of the log.

Another quick idea is to run `locate formmail` and `locate FormMail` to spot some quick possibilities.

Good luck.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/

Reply via email to