How to find our Spammer

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
Chris Bell
Forum Newbie
Posts: 4
Joined: Tue Jun 05, 2007 7:51 pm

How to find our Spammer

Post by Chris Bell »

I work for a small California based web hosting company that uses PHP on our shared Windows hosting servers

Someone has configured one of the sites to send out spam via the mail() function

What we think they have done is put up a blank form with entry fields for destination email address and the body of the message - and are using some sort of scripting robot from their own PC to send stuff out using it

Does anyone have any ideas on how we can search for the PHP page they might be using ?

We know which server it is coming from - but thats about all

There are some 433 web sites hosted on that server, and a text search for the mail() function call has revealed that this is used on 915 PHP pages !

Any ideas or clues on how to help track this down would be very much appreciated !

Chris
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You could always try the classic Dora the Explorer approach.

No spamming, spammer!



You don't have bandwidth limits on your customers? If they pay for it, they should be allowed to use it, regardless of what they use it for. Spam isn't illegal (though it's content may be), just annoying.

In all likeliness though, I doubt they are doing it from a form... That seems like a waste of time. I'm almost positive that it's automated. Do you guys have any logs that show activity? Maybe you can find some sort of continuous running cron. The last hosting company that I worked for had more than enough utilities to find and stop anything that they didn't like.
Chris Bell
Forum Newbie
Posts: 4
Joined: Tue Jun 05, 2007 7:51 pm

It may be legal....

Post by Chris Bell »

.. but our Terms and Conditions to which they agreed when they signed up with us forbid it...

Not least because our mailserver's IP address will end up on blacklists and result in us being blocked (we've already gone through extended fun and games with Yahoo over this !)

Thanks for your comments
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Well, I've no idea how much data your company collects on your server usage, but if you have to ask, it may not be enough. Luckily, at any point, you can always increase the amount of statistics that you collect.

The best I can think of (not an absolute solution, but will at least give you a list of suspects) is to compare their server usage to their unique traffic. Once for my last company, there was a server that was being bombarded with fake e-mail headers through a form. Obviously, it was the result of a badly coded script that needed to be redone, but the problem was noticeable through our statistics.

You can never have enough of them. ^_^
Last edited by superdezign on Tue Jun 05, 2007 8:39 pm, edited 1 time in total.
Chris Bell
Forum Newbie
Posts: 4
Joined: Tue Jun 05, 2007 7:51 pm

Thanks...

Post by Chris Bell »

.... we'll take a look at the stats..

Chris
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Hopefully you run suexec so that each user on your server runs PHP scripts under their own userid? If you do that you should be able to find out (assuming you use linux servers!) who's invoking sendmail most often. You can do some grepping of the logs for that. It'd involve a bit of grep + awk on the passwd/shadow file to get the userid, then grep against the sendmail logs, calling wc to get the actually numbers of times sendmail was invoked by the user.

If you run all PHP scripts as www-data, nobody, apache or any other generic userid then you'll struggle, far from reading everyone's code.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

This won't help you find the culprit, but this is most likely a case of header injection of one your your users contact form. Far too often novice programmers do not validate incoming data, and any half witted spammer could manipulate the form to send whatever they want to whoever they want. I wouldn't jump to conclusions have have their account terminated, as it is probably a case of incompetency.
Chris Bell
Forum Newbie
Posts: 4
Joined: Tue Jun 05, 2007 7:51 pm

Thanks....

Post by Chris Bell »

After many hours Googling for this last night I'm coming to much the same conclusion !
Post Reply