I have received some complants that someone is using one of my servers to spam aol members. The mail comes from nobody@myserver.com so I beleave its a user sending the mail with a script. This is what I found in my exim log:

2001-08-29 23:35:40 15cIcG-0002nC-00 => someone@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [205.188.000.000]
2001-08-29 23:35:40 15cIcG-0002nC-00 Completed

How can I figure out what user is sending the email?

Did the victims send you the email header?
Is there any X-Abusive entry which makes sense (UID)?

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - my.servername.com
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
X-AntiAbuse: Sender Address Domain - my.servername.com

this is in /etc/passwd nobody:x:99:99:Nobody:/:

Originally posted by Daniel
I have received some complants that someone is using one of my servers to spam aol members. The mail comes from nobody@myserver.com so I beleave its a user sending the mail with a script. This is what I found in my exim log:

2001-08-29 23:35:40 15cIcG-0002nC-00 => someone@aol.com R=lookuphost T=remote_smtp H=mailin-01.mx.aol.com [205.188.000.000]
2001-08-29 23:35:40 15cIcG-0002nC-00 Completed

How can I figure out what user is sending the email?

Try finding your Apache logfile and find the logentries around that time of day. You most probably have a old FormMail script installed (the old ones can be used to send out SPAM).

Nothing in the access log around that time.

It does sound very much like a formmail.pl exploit.

Try greping your log files for one of the aol addresses.

I've seen this attack happen twice on two of our servers. Since then we've moved clients perl scripts to an alternative cgi-bin location so spammers looking for domain.com/cgi-bin/formmail.pl are less likely to find the scripts if clients have used an old version or mis configured it.

That's what was happing someone was using a formmail script a client had in his cg-bin. I found it in the sendmail logs.

Thank you all for your help!!

The aol email address was a giveaway. :-)

I've been looking for a simple perl/bash scipt that can monitor the size of the maillog file. eg something that can email you if the file has grown by more than xxKb in the last 15 mins or has grown to more that xxxKb. ie somthing that will pick up on indicators that there is a problem. still not found anything and my perl knowledge isn't up to the job.