Difference between revisions of "Spam"
| (4 intermediate revisions by one user not shown) | |||
| Line 6: | Line 6: | ||
2) Install qmhandle | 2) Install qmhandle | ||
yum install qmhandle | yum install qmhandle | ||
| + | |||
| + | If you installed qmhandle correctly it will be installed here: | ||
| + | |||
| + | /usr/bin/qmhandle.pl | ||
| + | |||
| + | If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system: | ||
| + | |||
| + | rpm -ql qmhandle | ||
| + | |||
| + | If you do not get any results from this command, you did not install our RPM. | ||
| + | |||
| + | If you did install our rpm your output should look like this: | ||
| + | |||
| + | /usr/bin/qmhandle.pl | ||
| + | /usr/share/doc/qmhandle-1.3.2 | ||
| + | /usr/share/doc/qmhandle-1.3.2/HISTORY | ||
| + | /usr/share/doc/qmhandle-1.3.2/README | ||
| + | |||
| + | If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours. | ||
3) List messages | 3) List messages | ||
| − | qmhandle.pl -l | + | |
| + | /usr/bin/qmhandle.pl -l | ||
4) Find a spam message number, and dump its contents | 4) Find a spam message number, and dump its contents | ||
| − | qmhandle.pl -m<MESSAGE NUMBER> |less | + | /usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less |
ex: qmhandle.pl -m5245547 |less | ex: qmhandle.pl -m5245547 |less | ||
| Line 20: | Line 40: | ||
grep 48 /etc/passwd | grep 48 /etc/passwd | ||
| − | 7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job. | + | 7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. |
| + | |||
| + | If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini | ||
| + | |||
| + | mail.add_x_header on | ||
| + | |||
| + | More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php | ||
| + | |||
| + | If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job. | ||
Latest revision as of 10:38, 27 July 2011
Finding the source of spam
1) Set up atomic archive
wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh
2) Install qmhandle
yum install qmhandle
If you installed qmhandle correctly it will be installed here:
/usr/bin/qmhandle.pl
If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:
rpm -ql qmhandle
If you do not get any results from this command, you did not install our RPM.
If you did install our rpm your output should look like this:
/usr/bin/qmhandle.pl /usr/share/doc/qmhandle-1.3.2 /usr/share/doc/qmhandle-1.3.2/HISTORY /usr/share/doc/qmhandle-1.3.2/README
If you installed a third party rpm of qmhandle, you'll need to contact that rpm maintainer for assistance, or remove their rpm and install ours.
3) List messages
/usr/bin/qmhandle.pl -l
4) Find a spam message number, and dump its contents
/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less ex: qmhandle.pl -m5245547 |less
5) Identify the UID sending the message. Look for "invoked by uid"
ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400
6) Identify who the user ID belongs to.
grep 48 /etc/passwd
7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl.
If you are using PHP 5.2.5 from atomic or above, then the message headers will contain a header that will tell you which web application was used to send the spam by setting the following in php.ini
mail.add_x_header on
More information on PHP mail logging is available here: http://php.net/manual/en/mail.configuration.php
If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.
