Difference between revisions of "Spam"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 10: Line 10:
  
 
  /usr/bin/qmhandle.pl
 
  /usr/bin/qmhandle.pl
 +
 +
If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:
 +
 +
rpm -ql qmhandle
 +
 +
If you do not get any results from this command, you did not install our RPM.
 +
 +
If you did install our rpm your output should look like this:
 +
 +
/usr/bin/qmhandle.pl
 +
/usr/share/doc/qmhandle-1.3.2
 +
/usr/share/doc/qmhandle-1.3.2/HISTORY
 +
/usr/share/doc/qmhandle-1.3.2/README
 +
 +
If you installed a third party rpm of qmhandle, you'll need to contract that rpm maintainer for assistance, or remove their rpm and install ours.
  
 
3) List messages
 
3) List messages

Revision as of 16:57, 21 July 2010

Finding the source of spam

1) Set up atomic archive

wget -q -O - http://www.atomicorp.com/installers/atomic.sh |sh

2) Install qmhandle

yum install qmhandle

If you installed qmhandle correctly it will be installed here:

/usr/bin/qmhandle.pl

If its not there, check your RPM database to make sure you installed it and check to see where it is installed on your system:

rpm -ql qmhandle

If you do not get any results from this command, you did not install our RPM.

If you did install our rpm your output should look like this:

/usr/bin/qmhandle.pl /usr/share/doc/qmhandle-1.3.2 /usr/share/doc/qmhandle-1.3.2/HISTORY /usr/share/doc/qmhandle-1.3.2/README

If you installed a third party rpm of qmhandle, you'll need to contract that rpm maintainer for assistance, or remove their rpm and install ours.

3) List messages

/usr/bin/qmhandle.pl -l

4) Find a spam message number, and dump its contents

/usr/bin/qmhandle.pl -m<MESSAGE NUMBER> |less
ex: qmhandle.pl -m5245547 |less

5) Identify the UID sending the message. Look for "invoked by uid"

ex: Received: (qmail 12392 invoked by uid 48); 4 Jul 2007 09:35:34 -0400

6) Identify who the user ID belongs to.

 grep 48 /etc/passwd

7) If the userid maps to apache, then the source is a web application, php, ruby, mod_perl. If the userid is popuser, the the source is a compromised smtp_auth account. If the userid maps to a user account, then this is a compromised cgi-bin application, or some other application that uses suexec. It could also indicate a cron job.

Personal tools