Bingo, that one did the trick. I didn't realize that qmail's sendmail
binary was calling on qmail-inject. After putting that wrapper in place
I was able to find some old cgi script that was being exploited and have
now disabled it. Again, thanks so much. This actually allowed me to
fix another nasty problem I was having on a different mail server where
customers would occasionally "bulk" mail a bunch of users and tracing
them down was typically very difficult. Now I'll be able to track this
much easier, thanks so much!
From: Lars Uhlmann [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 27, 2005 12:00 PM
Subject: Re: [vchkpw] OT, but abuse related
On Tue, 27 Sep 2005 09:52:39 -0700
"Clayton Weise" <[EMAIL PROTECTED]> wrote:
> I know this is way off topic, but there are a lot of really smart
> people on this list so I'm hoping to get some ideas here. I've got a
> web server that has some kind of formmail-esque script that is being
> horribly abused but I can't find it. The server (shut down qmail-send
> on it for now) is spewing out messages by the hundreds, if not
> thousands, and I can't seem to center down on which site has the
> offending script. Again, it's pretty off topic but I'm just looking
> for some help here... please.
To get the path of the script whose sending mail you could do this:
Write a wrapper for qmail-inject. From within the wrapper you'll find
the path of the caller script in the environment variable $PWD (assuming
here is a wrapper example:
,-----[ qmail-inject.wrapper ]
| #! /bin/bash
| RETURN_PATH="[EMAIL PROTECTED]"
| DATETIME=`date "+%d.%m.%Y %H:%M:%S"`
| # send desired information to myself
| # first the mail header
| echo "From: [EMAIL PROTECTED]" >$TMPFILE
| echo "To: [EMAIL PROTECTED]" >>$TMPFILE
| echo -ne "Subject: [$DATETIME] something meaningful\n\n" >>$TMPFILE
| # now the message body
| echo -e "PWD: $PWD\n" >>$TMPFILE
| echo -e "\n----- original e-mail below -----\n" >>$TMPFILE
| # save the original message for our mail and pass ist on to the real
| tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH
| # send the log mail
| $ORIG-INJECT < $TMPFILE
| rm -f $TMPFILE
| # local logging
| /usr/bin/logger -p mail.info -t qmail-wrapper "command line
Don't forget to change the symbolic link "/usr/sbin/sendmail" (normally
linked to "$QMAILDIR/bin/sendmail") to "$QMAILDIR/bin/qmail-inject". If
the link stays unchanged and the script uses "/usr/bin/sendmail"
>qmail-inject< is invoked by $QMAILDIR/bin/sendmail and therefore "$PWD"
will be equal to "$QMAILDIR/bin".