Posted by: Mangesh_Linux_Administrator | August 6, 2010

Find Nobody spammer


It is difficult to track nobody spamers from exim_mainlog file. You can’t get exactly that who is using your server to send spams. If you check php.ini file you will see that the mail service is set to /usr/sbin/sendmail and almost all mail scripts are in use the built in mail(); function for PHP.It means that everything is going through /usr/sbin/sendmail.

We will try to get these users in your Linux Servers.

1. Login to server as root.

2. For safe side turn off exim.

[root@server~]#/etc/init.d/exim stop

3. Backup /usr/sbin/sendmail file. [Your server is using Exim as MTA (Mail Transfer Agent), Exim will use sendfile for just a pointer actually].

[root@server~]#mv /usr/sbin/sendmail /usr/sbin/sendmail.imp

4. Now we will create a spam monitoring script for the new sendmail programme.

[root@server~]#vi /usr/sbin/sendmail

Paste in the following:
#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spammer.log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n”;
}
else {

print INFO “$date – $PWD –  @info\n”;

}
my $mailprog = ‘/usr/sbin/sendmail.imp’;
foreach  (@ARGV) {
$arg=”$arg” . ” $_”;
}

open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!\n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

5. Change the permissions new sendmail.

[root@server~]#chmod +x /usr/sbin/sendmail

6. New log file to save history which using web mail scripts.

[root@server~]#touch /var/log/spammer.log

[root@server~]#chmod 0777 /var/log/spammer.log

7. Start Exim.

[root@server~]#/etc/init.d/exim start

8. Now try any formmail script or any mail script which uses mail function and monitor new log file (spam_log)

[root@server~]#tail – f /var/log/spammer.log

It should give us output like this:

Mon Nov 15 11:00:00 EST 2008 – /home/username/public_html/directory/subdirectory/subsubdirectory – nobody x 99 99 Nobody / /sbin/nologin

9. Log Rotation: This file is not set to be rotated file so there is a possibility that the file comes very large soon in size. So do this,

[root@server~]#vi /etc/logrotate.conf

Find >>

# no packages own wtmp — we’ll rotate them here

/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

Add >>

# SPAM LOG rotation

/var/log/spammer.log {
monthly
create 0777 root root
rotate 1
}

10. We will set attributes for new sendmail programme file so it will not get overwritten.

[root@server~]#chattr + i /usr/sbin/sendmail

Now we can get nobody spam users, Goodluck.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: