Sendmail / php spam problem

[Jorem]

I think there is a leak in one of the mailforms on the server. Last night the server send around 500.000 spam emails form my server using sendmail and I think the send mail() function from php.

Everytime I shutdown sendmail it stops. As soon as I activate Sendmail again the loads rizes and spam mails are send form the server.

How can I fins out which script is the one with the leak?

I use CentOS 4.4 with ISPConfig and this is a part of the maillog:

Jun 20 13:09:43 joremserver postfix/smtp[12908]: connect to f.mx.mail.yahoo.com[209.191.88.247]: read timeout (port 25)

Jun 20 13:09:45 joremserver postfix/smtp[12639]: connect to f.mx.mail.yahoo.com[68.142.202.247]: read timeout (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to e.mx.mail.yahoo.com[216.39.53.1]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to g.mx.mail.yahoo.com[209.191.88.239]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:49 joremserver postfix/smtpd[15563]: connect from omr-d24.mx.aol.com[205.188.249.68]

Jun 20 13:09:51 joremserver postfix/smtpd[15563]: 0753D1000006: client=omr-d24.mx.aol.com[205.188.249.68]

Jun 20 13:09:51 joremserver postfix/cleanup[17166]: 0753D1000006: message-id=<200706201109.l5KB9eIE008475@omr-d24.mx.aol.com>

Jun 20 13:10:04 joremserver postfix/smtp[12908]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:10:04 joremserver postfix/smtp[12760]: connect to d.mx.mail.yahoo.com[216.39.53.2]: read timeout (port 25)

Jun 20 13:10:05 joremserver postfix/smtp[12760]: E54BD1000047: to=<johnwayneluver_03@yahoo.com>, relay=g.mx.mail.yahoo.com[206.190.53.191], delay=332, status=sent (250 ok dirdel)

Jun 20 13:10:05 joremserver postfix/qmgr[7586]: warning: qmgr_active_done_3_generic: remove E54BD1000047 from active: No such file or directory

Jun 20 13:10:07 joremserver postfix/smtp[12639]: 7C7AC100005E: to=<oseojeahere@yahoo.com>, relay=c.mx.mail.yahoo.com[68.142.237.182], delay=662, status=deferred (host c.mx.mail.yahoo.com[68.142.237.182] said: 421 Message temporarily deferred - 4.16.51. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (in reply to end of DATA command))

Jun 20 13:10:07 joremserver postfix/qmgr[7586]: warning: qmgr_active_corrupt: save corrupt file queue active id 7C7AC100005E: No such file or directory

Thanks for your help.

[Jorem]

Is there maybe some kind of mailfiltering for sendmail before the email is sent?

All the spam mails are then deleted before they are sent. Sounds great, but is this possible?

[Hans]

You mention Sendmail, but i guess you're using Postfix as your MTA.
You can check if your postfix que with:

PHP Code: mailq

and release or delete them with the postsuper command

PHP Code:
postsuper -r *QUEUE ID* (for releasing one)
postsuper -r ALL (for releasing ALL)
postsuper -d *QUEUE ID* (for deleting one)
postsuper -d ALL (for deleting ALL)

You must try to find the insecure webform and make it more secure!
Probably the messages are sent by using the user www-data (on Debian).
If you are using suPHP, it is more easy to locate the form, as the php-scripts are executed my the administrator user/group of the website.

[Jorem]

Thanks for the help Hans,

I did the commands yesterday and the que is empty now. I also thought that Postfix did the email. But when I shutdown sendmail no mail is sended anymore and the server load goes down. The moment I start sendmail it is about 5 minutes and the load goes up again.

That's why I thought it had something to do with sendmail.

I use CentOS and in the maillogs I can't see where they are sent from. On another forum I read about the X-Tracker for the mailheaders. That worked great on Debian, but not on CentOS. With the php patch every mail header has the info of the user and script it is send from.

Now it is going to be a never ending search I'm afraid. (zoeken naar een speld in een hooiberg zoals wij dat zeggen). Or is there also such a script for CentOS maybe? I found: http://www.webhostgear.com/232.html
But I did not get it to work.