Difference between revisions of "Spam"

From Atomicorp Wiki
Jump to: navigation, search
m
 
(2 intermediate revisions by one user not shown)
Line 13: Line 13:
 
If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:
 
If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:
  
rpm -ql qmhandle
+
  rpm -ql qmhandle
  
 
If you do not get any results from this command, you did not install our RPM.
 
If you do not get any results from this command, you did not install our RPM.
Line 19: Line 19:
 
If you did install our rpm your output should look like this:
 
If you did install our rpm your output should look like this:
  
/usr/bin/qmhandle.pl
+
  /usr/bin/qmhandle.pl
/usr/share/doc/qmhandle-1.3.2
+
  /usr/share/doc/qmhandle-1.3.2
/usr/share/doc/qmhandle-1.3.2/HISTORY
+
  /usr/share/doc/qmhandle-1.3.2/HISTORY
/usr/share/doc/qmhandle-1.3.2/README
+
  /usr/share/doc/qmhandle-1.3.2/README
  
If you installed a third party rpm of qmhandle, you'll need to contract that rpm maintainer for assistance, or remove their rpm and install ours.
+
If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours.
  
 
3) List messages
 
3) List messages
Line 40: Line 40:
 
   grep 48 /etc/passwd
 
   grep 48 /etc/passwd
  
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.
+
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl.  
 +
 
 +
If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini
 +
 
 +
  mail.add_x_header on
 +
 
 +
More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php
 +
 
 +
If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Latest revision as of 09:38, 27 July 2011

Finding the source of spam

1) Set up atomic archive

wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh

2) Install qmhandle

yum install qmhandle

If you installed qmhandle correctly it will be installed here:

/usr/bin/qmhandle.pl

If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:

 rpm -ql qmhandle

If you do not get any results from this command, you did not install our RPM.

If you did install our rpm your output should look like this:

 /usr/bin/qmhandle.pl
 /usr/share/doc/qmhandle-1.3.2
 /usr/share/doc/qmhandle-1.3.2/HISTORY
 /usr/share/doc/qmhandle-1.3.2/README

If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours.

3) List messages

/usr/bin/qmhandle.pl -l

4) Find a spam message number, and dump its contents

/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less
ex: qmhandle.pl -m5245547 |less

5) Identify the UID sending the message. Look for "invoked by uid"

ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400

6) Identify who the user ID belongs to.

 grep 48 /etc/passwd

7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl.

If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini

 mail.add_x_header on

More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php

If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Personal tools