Difference between revisions of "Spam"

From Atomicorp Wiki
Jump to: navigation, search
m
Line 6: Line 6:
 
2) Install qmhandle
 
2) Install qmhandle
 
  yum install qmhandle
 
  yum install qmhandle
 +
 +
If you installed qmhandle correctly it will be installed here:
 +
 +
/usr/bin/qmhandle.pl
  
 
3) List messages
 
3) List messages
  qmhandle.pl -l
+
 
 +
  /usr/bin/qmhandle.pl -l
  
 
4) Find a spam message number, and dump its contents
 
4) Find a spam message number, and dump its contents
  qmhandle.pl -m<MESSAGE NUMBER> |less
+
  /usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less
 
  ex: qmhandle.pl -m5245547 |less
 
  ex: qmhandle.pl -m5245547 |less
  

Revision as of 15:54, 21 July 2010

Finding the source of spam

1) Set up atomic archive

wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh

2) Install qmhandle

yum install qmhandle

If you installed qmhandle correctly it will be installed here:

/usr/bin/qmhandle.pl

3) List messages

/usr/bin/qmhandle.pl -l

4) Find a spam message number, and dump its contents

/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less
ex: qmhandle.pl -m5245547 |less

5) Identify the UID sending the message. Look for "invoked by uid"

ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400

6) Identify who the user ID belongs to.

 grep 48 /etc/passwd

7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Personal tools