KrazyBob Posted August 3, 2004 Share Posted August 3, 2004 We have just received our first report from SpamCop and spent hours trying to find the spammer on one of our servers. We never did conclusively locate the spammer and had to look at patterns and IP's. I'll admit that I am green when it comes to this part of hosting. Let me just ask: is there a proven method (or close) that would allow us to find which site on a shared host is actually spamming? We use Linux Fedora and Ensim 4.0. We done grep on message ID's and all it shows is that a message (s) was sent. If it was through localhost it doesn't say which site. I hate spam and take seriously complaints of spammers. Not only are they a blight for those of us on the internet, but they financially damage my business as well. Any and all suggestions on tracing spammers would greatly be appreciated! Link to comment Share on other sites More sharing options...
Merlyn Posted August 3, 2004 Share Posted August 3, 2004 You should have had some kind of timestamp in the received headers in the report. That would narrow it down to the second. Link to comment Share on other sites More sharing options...
Chris Parker Posted August 3, 2004 Share Posted August 3, 2004 You may want to look into the preferences for whatever is being used to generate messages and make sure that every process that can generate a message tracks it back to the process (site) which created the message. Link to comment Share on other sites More sharing options...
KrazyBob Posted August 4, 2004 Author Share Posted August 4, 2004 We are actually suspecting a corss-server scri_pt exploit. We have (had) a new customer running Balde Runner and it is known for being hackable. The problem is that on a Fedora / Ensim box a scri_pt sends as localhost. It doesn't log the actual sender. It is an issue that is being worked on, but that doesn't help me know. When I grep the mail ID I get this: [root[at]donner log]# cat maillog | grep "i71K5XfB009855" Aug 1 13:07:06 donner sendmail[9855]: i71K5XfB009855: from=<accusalhotter[at]att.net>, size=859, class=0, nrcpts=1, msgid=<200408012007.i71K5XfB009855[at]donner.anywherehost.net>, proto=ESMTP, daemon=MTA, relay=[222.183.16.239] Aug 1 13:07:06 donner sendmail[18163]: i71K5XfB009855: to=<jwhitlow[at]mail.com>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=30859, relay=mail-com.mr.outblaze.com. [205.158.62.26], dsn=2.0.0, stat=Sent (Ok: queued as 111A3534CF) We aren't an open relay and require AUTH before sending. Is there anything in here that might lead me closer to the actual sender? Link to comment Share on other sites More sharing options...
Merlyn Posted August 4, 2004 Share Posted August 4, 2004 Looks to me like it just relayed mail from a chinanet server that is listed in spamhaus. Which means if I am right they know a password for someones account. Why would your run anything that has known problems? Link to comment Share on other sites More sharing options...
KrazyBob Posted August 4, 2004 Author Share Posted August 4, 2004 We didn't knowingly run a scri_pt with known issues. It was a brand new customer - as has always been the case with a spammer. We have removed the site and the spammer has moved on. I'd still love to learn the tricks of tracking these better to create a solid record. Link to comment Share on other sites More sharing options...
Merlyn Posted August 4, 2004 Share Posted August 4, 2004 Good Luck........... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.