From owner-freebsd-isp@FreeBSD.ORG Tue Mar 1 22:49:43 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50EC216A4CE for ; Tue, 1 Mar 2005 22:49:43 +0000 (GMT) Received: from m.kolocation.com (m.kolocation.com [66.111.12.250]) by mx1.FreeBSD.org (Postfix) with SMTP id 8B58E43D4C for ; Tue, 1 Mar 2005 22:49:42 +0000 (GMT) (envelope-from darek@nyi.net) Received: (qmail 57426 invoked by uid 89); 1 Mar 2005 22:45:47 -0000 Received: from unknown (HELO ?10.40.40.209?) (64.147.100.9) by 0 with SMTP; 1 Mar 2005 22:45:47 -0000 Message-ID: <4224F15F.60707@nyi.net> Date: Tue, 01 Mar 2005 17:49:03 -0500 From: Darek Milewski User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Charles Hatvany References: <20050301173622.N26116@forty.hatvany.com> In-Reply-To: <20050301173622.N26116@forty.hatvany.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org Subject: Re: Spammer on my system X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 22:49:43 -0000 Charles Hatvany wrote: >Hi guys, > >This may not be the correct forum for this. My apologies if this is the >wrong place - could use direction. > >I have someone abusing one of our servers. The mails "originate" with >user "www". > >The log entry is like this: > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www, >size=7430, class=0, nrcpts=200, >msgid=<200503010119.j211J29r033993@sixty.hatvany.com>, relay=www@localhost > >pxytest shows open proxies at port 25 and 587. The apache config file has > > > Order Deny,Allow > Deny from all > > >If I reject relay for 127.0.0.1 - I stop him, but also all mail >originating on the server and on our web mail. > >Any ideas of what I should look for/do? > >Charles Hatvany > > Most likely you have some type of a mailer script (like FormMail.pl) installed under Apache somewhere. Happens all the time in a webhosting environment.. All you have to do is find it and disable it. Could also be called contact, or something similar. You might tail some access logs to look for frequent requests to a cgi file, or a php page.