Difference between revisions of "Spam"
From Atomicorp Wiki
(New page: Finding the source of spam 1) Set up atomic archive wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh 2) Install qmhandle yum install qmhandle 3) List messages qmhandle.p...) |
|||
| Line 8: | Line 8: | ||
3) List messages | 3) List messages | ||
| − | qmhandle.pl -l | + | qmhandle.pl -l |
4) Find a spam message number, and dump its contents | 4) Find a spam message number, and dump its contents | ||
Revision as of 09:57, 7 July 2007
Finding the source of spam
1) Set up atomic archive
wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh
2) Install qmhandle
yum install qmhandle
3) List messages
qmhandle.pl -l
4) Find a spam message number, and dump its contents
qmhandle.pl -m<MESSAGE NUMBER> |less ex: qmhandle.pl -m5245547 |less
5) Identify the UID sending the message. Look for "invoked by uid"
ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400
6) Identify who the user ID belongs to.
grep 48 /etc/passwd
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.
