- Joined
- Feb 3, 2005
- Messages
- 654
- Reaction score
- 1
While tracking a a nobody Spamer, watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail
Turn off exim while we do this so it doesn't freak out.
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
Create the spam monitoring script for the new sendmail.
Paste in the following:
Change the new sendmail permissions
Create a new log file to keep a history of all mail going out of the server using web scripts
Start Exim up again.
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
Sample Log Output
Notes:
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.
Enjoy knowing you can see nobody is actually somebody
-- This Article was first published in www.linuxjunkies.in ---
If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail
Turn off exim while we do this so it doesn't freak out.
Code:
/etc/init.d/exim stop
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
Code:
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Create the spam monitoring script for the new sendmail.
Code:
vi /usr/sbin/sendmail
Paste in the following:
Code:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {
print INFO "$date - $PWD - @infon";
}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
Change the new sendmail permissions
Code:
chmod +x /usr/sbin/sendmail
Create a new log file to keep a history of all mail going out of the server using web scripts
Code:
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Start Exim up again.
Code:
/etc/init.d/exim start
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
Code:
tail - f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory - nobody x 99 99 Nobody / /sbin/nologin
Notes:
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.
Enjoy knowing you can see nobody is actually somebody
-- This Article was first published in www.linuxjunkies.in ---