Jump to content

Finding the Spammer


KrazyBob

Recommended Posts

We have just received our first report from SpamCop and spent hours trying to find the spammer on one of our servers. We never did conclusively locate the spammer and had to look at patterns and IP's. I'll admit that I am green when it comes to this part of hosting.

Let me just ask: is there a proven method (or close) that would allow us to find which site on a shared host is actually spamming? We use Linux Fedora and Ensim 4.0. We done grep on message ID's and all it shows is that a message (s) was sent. If it was through localhost it doesn't say which site.

I hate spam and take seriously complaints of spammers. Not only are they a blight for those of us on the internet, but they financially damage my business as well. Any and all suggestions on tracing spammers would greatly be appreciated!

Link to comment
Share on other sites

You may want to look into the preferences for whatever is being used to generate messages and make sure that every process that can generate a message tracks it back to the process (site) which created the message.

Link to comment
Share on other sites

We are actually suspecting a corss-server scri_pt exploit. We have (had) a new customer running Balde Runner and it is known for being hackable. The problem is that on a Fedora / Ensim box a scri_pt sends as localhost. It doesn't log the actual sender. It is an issue that is being worked on, but that doesn't help me know. When I grep the mail ID I get this:

[root[at]donner log]# cat maillog | grep "i71K5XfB009855"

Aug 1 13:07:06 donner sendmail[9855]: i71K5XfB009855: from=<accusalhotter[at]att.net>, size=859, class=0, nrcpts=1, msgid=<200408012007.i71K5XfB009855[at]donner.anywherehost.net>, proto=ESMTP, daemon=MTA, relay=[222.183.16.239]

Aug 1 13:07:06 donner sendmail[18163]: i71K5XfB009855: to=<jwhitlow[at]mail.com>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=30859, relay=mail-com.mr.outblaze.com. [205.158.62.26], dsn=2.0.0, stat=Sent (Ok: queued as 111A3534CF)

We aren't an open relay and require AUTH before sending. Is there anything in here that might lead me closer to the actual sender?

Link to comment
Share on other sites

We didn't knowingly run a scri_pt with known issues. It was a brand new customer - as has always been the case with a spammer. We have removed the site and the spammer has moved on. I'd still love to learn the tricks of tracking these better to create a solid record.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...