[BlueOnyx:01516] Re: Slammed with Spammer

Rodrigo Ordonez Licona rodrigo at xnet.com.mx
Sat Jun 27 14:07:31 PET 2009


Get a copy of one of the emails before deletinen your mail queue, 

Look for the headers and Find the originating IP/IPS, Time of delivery and
mailbox used (might show the mailbox you hsould block /delete).

If apache at yourserver.com is the culprit then you should look for a php
script within your websites (take into account that it might also be inside
the users web folders)


Search /var/log/maillog for more clues at the time of the email delivery

Look for smtp auth entries at the time of the spamming, 

If apache is the culprit you will have to dive into
/vat/log/httpd/access_log and error_log

Look at the time of the spamming and search for php scripts. There is a
c99.php script that we have found more than once.


HTH

Rodrigo O
Xnet


-----Original Message-----
From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Charles Bowman
Sent: Sábado, 27 de Junio de 2009 12:03
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:01515] Re: Slammed with Spammer

Check your secure logs:
#more /var/log/secure
Look for *lots* of connections, verifying the IP address will give you
anything obvious; i.e. Taiwanese IP logging-in.
Check the webspace for the user for any Phisting scams & web back doors.
Check the rest of the box has not been compromised...

Cheers,
Charles

-----Original Message-----
From: blueonyx-bounces at blueonyx.it
[mailto:blueonyx-bounces at blueonyx.it]On Behalf Of Steve Davis
Sent: 27 June 2009 18:05
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:01513] Slammed with Spammer
Importance: Low


Having an issue with an old enemy on a new BO box.

net.tw,
gov.tw
org.tw
net.tw
com.tw

take your pick.

Some how, they must know one of the emails userid and password on the box
and are sending 4000 - 5000 spams per hour into my mail queue.

I have turned off PopBeforeSMTP, so probably not sending email out.
Probably.

How do I tell which account is being used to connect.

Any other suggestion of course is always appreciated.

Steve





_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx





More information about the Blueonyx mailing list