Customer Script Spamming

Discussion in 'ISPConfig 3 Priority Support' started by jon, Feb 13, 2014.

  1. jon

    jon Member HowtoForge Supporter

    I've had some spam heading out of my hosting server, in the logs I see a lot of ...

    Feb 9 06:32:01 hosting postfix/qmgr[3489]: AC826A57: from=<[email protected]>, size=12217, nrcpt=1 (queue active)

    I know that web37 is the user for a customers site, however I'm not able to find out what is being used to send the spam.

    I *assume* that because web37 is sending the spam, that it is a web form (or similar) on that site being used. The Apache logs haven't shed any light on what though.

    Any help would be great, thanks in advance.
  2. sjau

    sjau Local Meanie Moderator

    edit the according php.ini and add/enable:

    mail.add_x_header = On
    mail.log = /var/log/phpmail.log
    That should help.

    (Don't forget to restart apache)
  3. jon

    jon Member HowtoForge Supporter

    Thank you very much, I have done that and will post my results.
  4. jon

    jon Member HowtoForge Supporter

    Looks like a bunch of spam just went through. I have nothing in /var/log/phpmail.log

    I did verify with phpinfo.php that I am editing the correct php.ini.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    take a look at the mail content with the postcat command, if the spam is sendt by a php srcript in website web37, which is very likely when web37 is the user, then you will find the name of the hacked script in the mail header.
  6. jon

    jon Member HowtoForge Supporter

    Excellent, I will try that. Thank you very much.
  7. jon

    jon Member HowtoForge Supporter

    I just wanted to follow up and say thanks. The spam started again and while it had already left the queue and I couldn't postcat it, I was able to see from the logs that Amavis had quarantined some of the messages and I checked the virusmails directory and found that information.

Share This Page