ACK! I got a spammer on my server but im having a hard time tracking it down. I didnt notice it till about an hour ago. They all have the same pattern but only one problem is I cant find the account responsible for it

19hRi4-0003Ts-Cl-H
root 0 0

1059474480 0
-helo_name smtp0432.mail.yahoo.com -host_address 211.158.xxx.xxx -host_auth fixed_login
-interface_address xxx.xxx.xxx.xxx
-received_protocol asmtp
-body_linecount 1
-auth_id test
-deliver_firsttime
-host_lookup_failed
XX
1
yael_magnotta@hotmail.com
192P Received: from [211.158.xxx.xxx] (helo=smtp0432.mail.yahoo.com)
by myhostname.com with asmtp (Exim 4.20)
id 19hRi4-0003Ts-Cl
for yael_magnotta@hotmail.com; Tue, 29 Jul 2003 06:28:00 -0400
036 Date: Tue, 29 Jul 2003 10:27:46 GMT
033F From: "Milidia" 014 X-Priority: 3
030T To: yael_magnotta@hotmail.com
037 Subject: Lose Weight Without Dieting
018 Mime-Version: 1.0
042 Content-Type: text/html; charset=us-ascii
032 Content-Transfer-Encoding: 7bit
049I Message-Id:


and the message. Theres a link in the message to be removed. I got on the website and contacted the phone number but its been disabled and turned off BAH! pain in the @#!@#!@#!.

try :

grep smtp0432.mail.yahoo.com /var/log/exim_mainlog

print out the results here..

Nothing came back, aint much in the mainlog

-rw-r----- 1 mailnull mail 53645 Jul 31 09:09 exim_mainlog

hmm .. These are old emails?

try
grep IPADDRESSHERE /var/log/maillog

it you should bring you which pop account this IP address checks. (for auth of sending emails)

Nothing there either, i said i was having a hard time tracking this down. The queue got higher.. i aint bout to say how many is in there now:eek:

Do you have a test account setup with the username "test"?

Looking at this line:
-auth_id test


You should check for any type of formmail scripts on the username "test" if you have that on your server.

Sure enough there is. test.com with the username test but in the homedirectory and other directories theres nothing in there at all.. I didnt even catch that one..... What now?

I personally would delete that account..


Could be using the test account email to send it.. from the looks of it.. But what ever way, I would delete it.

hmm yea I will, however if their on our servers, they have to be using a form script somewhere to be doing this or an email account.. thats what im trying to find out is which account is doing this. Theres been no activity on that domain/account at all

Grep the mail logs with that username, and see if they have all been SMTP they have been using..

From the one example you have, it looks like they are using SMTP, on the test account, to send the mail. ( all they got to do, is put the IP address as the host, and test accounts username with the password ( assuming they have the password at this point ) Fairly easy way to send it. Usually people are looking for a formmail script


Another thing you can do, is change passwords for the email accounts on that account.. ( and most likely that account it self )

root@hostname [/var/log]# grep user=test maillog
Jul 31 14:31:58 hostname imapd[26078]: Authenticated user=test domain=??? host=loca
lhost [127.0.0.1]
Jul 31 14:31:58 hostname imapd[26078]: Logout user=test domain=??? host=localhost [
127.0.0.1]
Jul 31 14:35:00 hostname imapd[26442]: Authenticated user=test domain=??? host=loca
lhost [127.0.0.1]
Jul 31 14:35:01 hostname imapd[26442]: Logout user=test domain=??? host=localhost [
127.0.0.1]
Jul 31 14:35:10 hostname imapd[26492]: Authenticated user=test domain=??? host=loca
lhost [127.0.0.1]
Jul 31 14:35:11 hostname imapd[26492]: Logout user=test domain=??? host=localhost [
127.0.0.1]

Only thing I could find