HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Spam Mail (http://www.howtoforge.com/forums/showthread.php?t=61123)

Happy 25th March 2013 12:15

Spam Mail
 
My mail server is on the Blacklist and I figured it was a client that might be causing the issue. However, since the office was closed this past weekend and all PC's were turned off. I am now thinking that maybe the mail server has been comprimised. Is there a way to tell? I pulled a lot of the mail logs last week and seen nothing strange, but not sure what I am looking for other than a bogus user.

markc 25th March 2013 13:22

I find the 2 most common causes for outgoing spam are compromised passwords via phishing spams or brute forced POP scans and insecure mail forms via a website. The 1st generally shows up as a lot of bounces returning to a users Inbox, and then it's too late but a forced password change prevents more injections, and the 2nd can be detected by noticing a lot of outgoing smtp connections sourced from your own webserver IPs. To catch the 2nd one sometimes I rename /usr/sbin/sendmail to sendmail.orig and put in a shell script that logs the entire message and then calls sendmail.orig and that will reveal ongoing php/web sourced outgoing spam.

These points may be obvious to you, but it may help.


All times are GMT +2. The time now is 21:14.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.