Bingo, that one did the trick.  I didn't realize that qmail's sendmail
binary was calling on qmail-inject.  After putting that wrapper in place
I was able to find some old cgi script that was being exploited and have
now disabled it.  Again, thanks so much.  This actually allowed me to
fix another nasty problem I was having on a different mail server where
customers would occasionally "bulk" mail a bunch of users and tracing
them down was typically very difficult.  Now I'll be able to track this
much easier, thanks so much!


-----Original Message-----
From: Lars Uhlmann [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 27, 2005 12:00 PM
Subject: Re: [vchkpw] OT, but abuse related

On Tue, 27 Sep 2005 09:52:39 -0700
"Clayton Weise" <[EMAIL PROTECTED]> wrote:

> I know this is way off topic, but there are a lot of really smart
> people on this list so I'm hoping to get some ideas here.  I've got a
> web server that has some kind of formmail-esque script that is being
> horribly abused but I can't find it.  The server (shut down qmail-send
> on it for now) is spewing out messages by the hundreds, if not
> thousands, and I can't seem to center down on which site has the
> offending script.  Again, it's pretty off topic but I'm just looking
> for some help here... please.

To get the path of the script whose sending mail you could do this:

Write a wrapper for qmail-inject. From within the wrapper you'll find
the path of the caller script in the environment variable $PWD (assuming

here is a wrapper example:

,-----[ qmail-inject.wrapper ]
| #! /bin/bash
| ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original
| TMPFILE=`tempfile`
| DATETIME=`date "+%d.%m.%Y %H:%M:%S"`
| # send desired information to myself
| # first the mail header
| echo -ne "Subject: [$DATETIME] something meaningful\n\n" >>$TMPFILE
| # now the message body
| echo -e "PWD: $PWD\n" >>$TMPFILE
| echo -e "\n----- original e-mail below -----\n" >>$TMPFILE
| # save the original message for our mail and pass ist on to the real
| # send the log mail
| rm -f $TMPFILE
| # local logging
| /usr/bin/logger -p -t qmail-wrapper "command line
parameters: $*"

Don't forget to change the symbolic link "/usr/sbin/sendmail" (normally
linked to "$QMAILDIR/bin/sendmail") to "$QMAILDIR/bin/qmail-inject". If
the link stays unchanged and the script uses "/usr/bin/sendmail" 
>qmail-inject< is invoked by $QMAILDIR/bin/sendmail and therefore "$PWD"
will be equal to "$QMAILDIR/bin".


Reply via email to