From owner-freebsd-isp@FreeBSD.ORG Wed Mar 2 01:13:33 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6F6316A4CE for ; Wed, 2 Mar 2005 01:13:33 +0000 (GMT) Received: from sixty.hatvany.com (sixty.hatvany.com [67.100.200.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23E6443D2D for ; Wed, 2 Mar 2005 01:13:33 +0000 (GMT) (envelope-from Charles@hatvany.com) Received: from hatvany.com (forty.hatvany.com [66.203.80.230]) by sixty.hatvany.com (8.12.9p2/8.12.9) with SMTP id j221DUfi080208 for ; Tue, 1 Mar 2005 20:13:30 -0500 (EST) (envelope-from Charles@hatvany.com) Received: from HatvanyDomain-Message_Server by hatvany.com with Novell_GroupWise; Tue, 01 Mar 2005 20:13:31 -0500 Message-Id: X-Mailer: Novell GroupWise 5.2 Date: Tue, 01 Mar 2005 20:12:50 -0500 From: "Charles Hatvany" To: darek@nyi.net Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline cc: freebsd-isp@freebsd.org Subject: Re: Spammer on my system X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 01:13:33 -0000 Darek, Thank you. Found the bastard. Same IP (83.102.146.162) 196 times to a = guestbook.pl that isn't even used by the client's site. Chmod 000 = guestbook.pl should hold him. Thanks again. Charles >>> Darek Milewski 03/01 5:49 PM >>> Charles Hatvany wrote: >Hi guys, > >This may not be the correct forum for this. My apologies if this is the >wrong place - could use direction. > >I have someone abusing one of our servers. The mails "originate" with >user "www". > >The log entry is like this: > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=3Dwww, >size=3D7430, class=3D0, nrcpts=3D200, >msgid=3D<200503010119.j211J29r033993@sixty.hatvany.com>, relay=3Dwww@local= host > >pxytest shows open proxies at port 25 and 587. The apache config file = has > > > Order Deny,Allow > Deny from all > > >If I reject relay for 127.0.0.1 - I stop him, but also all mail >originating on the server and on our web mail. > >Any ideas of what I should look for/do? > >Charles Hatvany > =20 > Most likely you have some type of a mailer script (like FormMail.pl)=20 installed under Apache somewhere. Happens all the time in a webhosting=20 environment.. All you have to do is find it and disable it. Could = also=20 be called contact, or something similar. You might tail some access=20 logs to look for frequent requests to a cgi file, or a php page.