Hello, I currently have a spammer using my server to send out spam. I have already started to change all the email passwords on the server - and will be changing them all this week to better passwords. However - I'd like to find out who/where/what this spammer is and how they managed to do this. Has anyone had any experience tracking down this type of thing? The Server is a Linux server running Qmail. Thank you,
rederick, Your best idea would be to hire a security administrator, your system (or a script on it) is exploited. Changing your passwords will not help.
As david said, something has been exploited, if you unaware of what it is, i would suggest you go though all the web software you have installed and make sure they are all at the latest versions at the very lease, if you go though the mail log file, you might be able to work out what is sending the emails (ie if it's the same user as apache you would be inclined to think it's a web script, if it's a system user, something on the system etc et). If you don't think you can work it out, hiring a Sec Admin to check things out is good if you can afford it.
Qmail has a bug with open relay which causes people to use your server as a spam bot. Also put a spf record for every domain you own on the server.
There are so many variables as to the cause, it is hard to say without looking.. but here is a quick ramble of thoughts.. Start with http://www.abuse.net/relay.html .. And test for an open relay. Look at the mail messages being sent, sometimes it may contain some valuable info on determining how/what is actually sending them, meaning is it a vulnerable script, has someone broken into your machine.. You may consider downloading rkhunter - http://www.rootkit.nl/downloads/ it provides some valuable insight into your machines state. A common occurance with a spamming machine is a hacked machine.. so.. Check for hidden files. A mechanism used to hide files is using spaces in the filenames.. So when I am fixing a hacked machine, I use the 'locate' command to help me find files like: 'locate \. \ ' or 'locate \ \ ' Look for suspicious files in /dev/shm /tmp and /var/tmp use 'netstat -ntpl' and look at the port/program mapping to ensure nothing is out of the ordinary. A common trick is to mask a program with the process name 'httpd', however it may be listening on a non standard port and may actually be a backdoor.. Also, I am not aware of a qmail bug .. but it could be mis-configuration. -- Nick
Try taking a look at the current email log, see if there's a mass amount coming from one user, or if you've got cpanel you can look at the mail queue and get all the details there