[TriLUG] system inexcplicity sending spam

Blackburn, Marvin mblackburn at glenraven.com
Sun Dec 2 15:52:53 EST 2007 

This sounds all very familar.   Thank you 

-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf
Of Steve Hoffman
Sent: Sunday, December 02, 2007 2:44 PM
To: Triangle Linux Users Group General Discussion
Subject: Re: [TriLUG] system inexcplicity sending spam

I ran a server that hosted a website with a "contact us" form.  The issue
turned out to be header injection of the form in once case...the developers
fixed that and later I found that someone had taken the source of the page
created a local copy and simply posted their spam message with injections
directly to our server...I put a php page that intercepted all messages and
filtered out any that weren't legit (i.e. no bcc fields allowed, no CC
fields allowed, only one recipient that was in a predefined list etc.

was a bit tricky to track it all down, but ultimately the apache logs shed
alot of light on it (POST's from the IP where the spam was originating) and
it was all confirmed with a wireshark trace as to exactly what was
happening.

HTH
Steve

On Dec 2, 2007 2:17 PM, Blackburn, Marvin <mblackburn at glenraven.com> wrote:

> We have a server that does not allow incoming smtp traffic into it from
> the
> outside.  We have a sendmail running on a RHEL 3 update 7 with the latest
> sendmail available through redhat.
> In addition, sendmail is configured only to accept email from the local
> host: 127.0.0.1.  Late friday, the system started sending spam via
> sendmail.
> The only connections from outside that are allowed are through http and
> https (ports 80 and 443).  We cannot determine what is generating the
> email.
> We can see it being sent, but cant determine the process thats
> responsiblle.
>
> Any help would be appreciated in finding what might be causing it.  This
> server is a webserver.
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
>
>
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3921 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20071202/024868e9/attachment.bin>

More information about the TriLUG mailing list