Page 1 of 1
How to find our Spammer
Posted: Tue Jun 05, 2007 8:02 pm
by Chris Bell
I work for a small California based web hosting company that uses PHP on our shared Windows hosting servers
Someone has configured one of the sites to send out spam via the mail() function
What we think they have done is put up a blank form with entry fields for destination email address and the body of the message - and are using some sort of scripting robot from their own PC to send stuff out using it
Does anyone have any ideas on how we can search for the PHP page they might be using ?
We know which server it is coming from - but thats about all
There are some 433 web sites hosted on that server, and a text search for the mail() function call has revealed that this is used on 915 PHP pages !
Any ideas or clues on how to help track this down would be very much appreciated !
Chris
Posted: Tue Jun 05, 2007 8:21 pm
by superdezign
You could always try the classic Dora the Explorer approach.
No spamming, spammer!
You don't have bandwidth limits on your customers? If they pay for it, they should be allowed to use it, regardless of what they use it for. Spam isn't illegal (though it's content may be), just annoying.
In all likeliness though, I doubt they are doing it from a form... That seems like a waste of time. I'm almost positive that it's automated. Do you guys have any logs that show activity? Maybe you can find some sort of continuous running cron. The last hosting company that I worked for had more than enough utilities to find and stop anything that they didn't like.
It may be legal....
Posted: Tue Jun 05, 2007 8:27 pm
by Chris Bell
.. but our Terms and Conditions to which they agreed when they signed up with us forbid it...
Not least because our mailserver's IP address will end up on blacklists and result in us being blocked (we've already gone through extended fun and games with Yahoo over this !)
Thanks for your comments
Posted: Tue Jun 05, 2007 8:36 pm
by superdezign
Well, I've no idea how much data your company collects on your server usage, but if you have to ask, it may not be enough. Luckily, at any point, you can always increase the amount of statistics that you collect.
The best I can think of (not an absolute solution, but will at least give you a list of suspects) is to compare their server usage to their unique traffic. Once for my last company, there was a server that was being bombarded with fake e-mail headers through a form. Obviously, it was the result of a badly coded script that needed to be redone, but the problem was noticeable through our statistics.
You can never have enough of them. ^_^
Thanks...
Posted: Tue Jun 05, 2007 8:37 pm
by Chris Bell
.... we'll take a look at the stats..
Chris
Posted: Wed Jun 06, 2007 1:30 am
by Chris Corbyn
Hopefully you run suexec so that each user on your server runs PHP scripts under their own userid? If you do that you should be able to find out (assuming you use linux servers!) who's invoking sendmail most often. You can do some grepping of the logs for that. It'd involve a bit of grep + awk on the passwd/shadow file to get the userid, then grep against the sendmail logs, calling wc to get the actually numbers of times sendmail was invoked by the user.
If you run all PHP scripts as www-data, nobody, apache or any other generic userid then you'll struggle, far from reading everyone's code.
Posted: Wed Jun 06, 2007 1:40 am
by John Cartwright
This won't help you find the culprit, but this is most likely a case of header injection of one your your users contact form. Far too often novice programmers do not validate incoming data, and any half witted spammer could manipulate the form to send whatever they want to whoever they want. I wouldn't jump to conclusions have have their account terminated, as it is probably a case of incompetency.
Thanks....
Posted: Wed Jun 06, 2007 7:58 am
by Chris Bell
After many hours Googling for this last night I'm coming to much the same conclusion !