Spammers using my server

Kevin Spicer kevins at BMRB.CO.UK
Fri Sep 24 21:56:45 IST 2004 

On Fri, 2004-09-24 at 21:16, Mike Kercher wrote:
> Jay Ehrhart wrote:
> > This morning I had over 7000 emails in my Linux server's outbound
> > queue which I deleted.  My firewall log shows over 20,000 emails went
> > out with a SunTrust bank announce saying to login and enter your
> > username and password.
> > I do not see the emails coming in like I would in a relay.  How can I
> > stop this or how are they doing this?
> >
> > My firewall using a SMTP proxy and only allows my domain in.  I run
> > MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has
> > the lastest patches from Red Hat.  I have Sendmail setup to accept
> > only my domain email.
> >
> > The non-deliverable reports are coming from my Linux apache user.
> > Non-deliverables usually come from root.  I am running apache on the
> > server with forms.  The forms software is the latest version and
> > patches.
> >
> > Can anybody help on this?
> >
> > Thanks,
> > Jay
>
> I would certainly look at the configuration of that form processor!  I'd
> take it out of service until you figure out how to secure it.  I'd also look
> for other form processors on the system that maybe YOU didn't install.
>

And, if your ssh port is public make sure that the apache account
doesn't have a working login (with perhaps an easy to guess password).
There are spammers out there running programs to guess common usernames
and passwords in an attempt to grab accounts for spam sending.

It's worth auditing home directories for scripts etc. (look for hidden
directories) - also worthwhile mounting /home noexec unless you need the
exec capability in /home.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list