Spammers using my server

Miguel Koren O'Brien de Lacy miguelk at KONSULTEX.COM.BR
Fri Sep 24 22:16:31 IST 2004 

<x-flowed>
Jay;

I had a similar problem last month; extremely frustrating. In my case I 
tracked it down to a configuration problem with Apache. I had the 
"ProxyPass" directive on and this let the spammers use apache as a route 
to sendmail.

Check for something like this in your apache log:

access_log:168.61.4.12 - - [08/Aug/2004:16:54:45 -0300] "POST 
http://168.61.5.196:25/ HTTP/1.0" 200 2027

Miguel

Kevin Spicer wrote:

>On Fri, 2004-09-24 at 21:16, Mike Kercher wrote:
>  
>
>>Jay Ehrhart wrote:
>>    
>>
>>>This morning I had over 7000 emails in my Linux server's outbound
>>>queue which I deleted.  My firewall log shows over 20,000 emails went
>>>out with a SunTrust bank announce saying to login and enter your
>>>username and password.
>>>I do not see the emails coming in like I would in a relay.  How can I
>>>stop this or how are they doing this?
>>>
>>>My firewall using a SMTP proxy and only allows my domain in.  I run
>>>MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has
>>>the lastest patches from Red Hat.  I have Sendmail setup to accept
>>>only my domain email.
>>>
>>>The non-deliverable reports are coming from my Linux apache user.
>>>Non-deliverables usually come from root.  I am running apache on the
>>>server with forms.  The forms software is the latest version and
>>>patches.
>>>
>>>Can anybody help on this?
>>>
>>>Thanks,
>>>Jay
>>>      
>>>
>>I would certainly look at the configuration of that form processor!  I'd
>>take it out of service until you figure out how to secure it.  I'd also look
>>for other form processors on the system that maybe YOU didn't install.
>>
>>    
>>
>
>And, if your ssh port is public make sure that the apache account
>doesn't have a working login (with perhaps an easy to guess password).
>There are spammers out there running programs to guess common usernames
>and passwords in an attempt to grab accounts for spam sending.
>
>It's worth auditing home directories for scripts etc. (look for hidden
>directories) - also worthwhile mounting /home noexec unless you need the
>exec capability in /home.
>
>
>
>
>BMRB International
>http://www.bmrb.co.uk
>+44 (0)20 8566 5000
>_________________________________________________________________
>This message (and any attachment) is intended only for the
>recipient and may contain confidential and/or privileged
>material.  If you have received this in error, please contact the
>sender and delete this message immediately.  Disclosure, copying
>or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited
>accepts no liability in relation to any personal emails, or
>content of any email which does not directly relate to our
>business.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>  
>

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

</x-flowed>

More information about the MailScanner mailing list