Thousands of emails being sent via sendmail to ne.jp emails. Help me find him...

Portal Home > Knowledgebase > Articles Database > Thousands of emails being sent via sendmail to ne.jp emails. Help me find him...

Posted by astounding, 09-04-2007, 01:23 PM
Since Jan 07, one of our servers has been sending thousands of emails to ne.jp hosts. Eg from logs: We're absolutely unable to track or find out who is sending it or how to stop this. So I'm wondering if it is possible to prevent sendmail from sending to: lsean.ezweb.ne.jp, OR docomo.ne.jp, OR softbank.ne.jp /var/mail/vhostswww logs are not showing helpful info at all. Eg: How would I solve this problem as it's making our server load skyhigh 24/7. Additional info about system: > Debian Linux, latest kernel > Sendmail (we've tried postfix, exim, with same results) > Non cPanel system. I'm also willing to pay anyone who's a top expert in this and can sort it out for us. Thanks you. Andre
Posted by Scott.Mc, 09-06-2007, 11:44 AM
The best way is going to be your queue, mailq -v -v Then match the email id with the queue files (such as /var/spool/mqueue) , I assume your webserver is running as the same user that is sending the emails from above? If so you can also use find with specific grep parameters to match the most common mail strings for perl+php.
Posted by astounding, 09-06-2007, 12:30 PM
No. It's running vhostswww which is for users apache/sendmail. Here's what mailq -v -v returns: Not much helpful info. Spam seems to have finally gone, but I'm assuming it's gonna come back, so still treating this as "please help" case.
Posted by tanfwc, 09-06-2007, 02:17 PM
It seems to be sending from web scripts. You might want to patch PHP so that you know who is sending out from PHP scripts. http://choon.net/php-mail-header.php
Posted by astounding, 09-07-2007, 09:15 AM
Already done a long time ago. Thing is it's not showing in the logs. And our server config only allows sendmail for paid members. So it's none of them. Meaning a non-activated sendmail member is sending this. Likely found an exploit.
Posted by Virago, 09-13-2007, 09:02 PM
I'm going to hazard a wild guess based on something I encountered earlier involving zuzanna.cn. (I was searching on the domain, and your post here came up.) One of your paid members may have been hit with a trojan from that site, possibly turning their PC into a "zombie box" that is being used to send spam.
Posted by astounding, 09-13-2007, 09:09 PM
Resolved issue.