[Wylug-help] Help needed with trying to identify spammer

John Craven jc at ukzone.com
Tue Nov 8 21:00:56 UTC 2011


At 20:48 08/11/2011 +0000, you wrote:


>On 8 November 2011 19:47, John Craven 
><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>At 19:41 08/11/2011 +0000, you wrote:
>
>
>
>>On 8 November 2011 19:29, John Craven 
>><<mailto:jc at ukzone.com>jc at ukzone.com> wrote:
>>At 19:24 08/11/2011 +0000, you wrote:
>>John,
>>
>>
>>
>>
>>
>> >I have been notified that a spammer is sending mail through my server.
>> >I need help in finding out how this is happening.
>>
>>My server is running centos 5
>>hth...
>>First do your logs show evidence that these spams are originating from
>>your system or being relayed by your system?
>>
>>I don't know where to look ????
>>It has been suggested that I check my auth log, but I don't seem to have 
>>one.
>>Have you seen any blowback?  If you are being spoofed (or otherwise)
>>
>>No. I haven't had any returned mail.
>>you are very likely to see many non-delivery reports.
>>
>>Do you have a sample of an offending e-mail with the full headers?
>>
>>Email in previous email. Obviously "crossed in post".
>>What mailer (MTA) are you running?  exim, sendmail?
>>
>>I'm running SENDMAIL
>>Andrew
>>
>>
>>At first look that looks like it's coming from a script. Where is your 
>>website located?
>
>The server is located in Preston, Lancashire.
>
>I do run lots of scripts on the server, for different web sites (clients).
>Is there any way of identifying what kind of script, or better still, 
>which script.
>
>
>Actually I meant a URL ;)
>
>Client sites are difficult, but you can search the code for mail() 
>functions if it's php.

How would I do this ???


>You might also be able to check your sendmail logs for activity. Who 
>manages the server?
>
>s/

Sorry for misunderstanding.

I manage the server and I have around 30 web sites hosted of which I 
created around 15 of them.
My sendmail logs are very active since all the sites have their email on my 
server.
It would help if I knew what the times were that the offending email was sent.
Is there any way of identifying this info ???

John C





>--
>Twitter: @sfgreenwood
>"post-apocalyptic allen keys"

=================================================

   Check out our British Country Music Web Sites

         http://www.countrymusic.org.uk
         http://www.bcmi-radio.co.uk

   Over 300,000 visitors a week

=================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wylug-help/attachments/20111108/cb7d4a4d/attachment-0001.htm>


More information about the Wylug-help mailing list