Difference between revisions of "Spam"

From Atomicorp Wiki
Jump to: navigation, search
m
 
(3 intermediate revisions by one user not shown)
Line 10: Line 10:
  
 
  /usr/bin/qmhandle.pl
 
  /usr/bin/qmhandle.pl
 +
 +
If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:
 +
 +
  rpm -ql qmhandle
 +
 +
If you do not get any results from this command, you did not install our RPM.
 +
 +
If you did install our rpm your output should look like this:
 +
 +
  /usr/bin/qmhandle.pl
 +
  /usr/share/doc/qmhandle-1.3.2
 +
  /usr/share/doc/qmhandle-1.3.2/HISTORY
 +
  /usr/share/doc/qmhandle-1.3.2/README
 +
 +
If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours.
  
 
3) List messages
 
3) List messages
Line 25: Line 40:
 
   grep 48 /etc/passwd
 
   grep 48 /etc/passwd
  
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.
+
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl.  
 +
 
 +
If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini
 +
 
 +
  mail.add_x_header on
 +
 
 +
More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php
 +
 
 +
If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Latest revision as of 09:38, 27 July 2011

Finding the source of spam

1) Set up atomic archive

wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh

2) Install qmhandle

yum install qmhandle

If you installed qmhandle correctly it will be installed here:

/usr/bin/qmhandle.pl

If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:

 rpm -ql qmhandle

If you do not get any results from this command, you did not install our RPM.

If you did install our rpm your output should look like this:

 /usr/bin/qmhandle.pl
 /usr/share/doc/qmhandle-1.3.2
 /usr/share/doc/qmhandle-1.3.2/HISTORY
 /usr/share/doc/qmhandle-1.3.2/README

If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours.

3) List messages

/usr/bin/qmhandle.pl -l

4) Find a spam message number, and dump its contents

/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less
ex: qmhandle.pl -m5245547 |less

5) Identify the UID sending the message. Look for "invoked by uid"

ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400

6) Identify who the user ID belongs to.

 grep 48 /etc/passwd

7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl.

If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini

 mail.add_x_header on

More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php

If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Personal tools