Spammer on my system
Charles Hatvany
Charles at hatvany.com
Wed Mar 2 01:13:33 GMT 2005
Darek,
Thank you. Found the bastard. Same IP (83.102.146.162) 196 times to a guestbook.pl that isn't even used by the client's site. Chmod 000 guestbook.pl should hold him.
Thanks again.
Charles
>>> Darek Milewski <darek at nyi.net> 03/01 5:49 PM >>>
Charles Hatvany wrote:
>Hi guys,
>
>This may not be the correct forum for this. My apologies if this is the
>wrong place - could use direction.
>
>I have someone abusing one of our servers. The mails "originate" with
>user "www".
>
>The log entry is like this:
>
>Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www,
>size=7430, class=0, nrcpts=200,
>msgid=<200503010119.j211J29r033993 at sixty.hatvany.com>, relay=www at localhost
>
>pxytest shows open proxies at port 25 and 587. The apache config file has
>
><Directory proxy:*>
> Order Deny,Allow
> Deny from all
></Directory>
>
>If I reject relay for 127.0.0.1 - I stop him, but also all mail
>originating on the server and on our web mail.
>
>Any ideas of what I should look for/do?
>
>Charles Hatvany
>
>
Most likely you have some type of a mailer script (like FormMail.pl)
installed under Apache somewhere. Happens all the time in a webhosting
environment.. All you have to do is find it and disable it. Could also
be called contact, or something similar. You might tail some access
logs to look for frequent requests to a cgi file, or a php page.
More information about the freebsd-isp
mailing list