Hello,

I run small company to sell low cost webhosting with few thousands of domains.


from time to time i catch spammers, i usually check sendmail logs to see any unusal usage.

this time i see unusal usage of sendmail from "top" command but i couldnt know the spammer because the sendmail stop loging in /var/log/sendmail.log even after rebooting



the hard drive have enoughf space to write logs ... but i think i need to adjust something to let sendmail start write logs ..?

another question .. is close EXIM server can stop sending emails until know the spammer ?

thanks

sendmail is swful when it gets hit by a spam attack. I help admin big mailservers for a large ISP and we use exim now on all of our mailservers because if we got hit by spam sendmail would fork up to 20 processes then hang eating all the memory on the machine.

I don't know of a way to make any mailserver stop sending mail if it gets a big amount of new mail coming in... Ahh... i guess you can write a script to check the load then maybe stop it for you, but then you'd get a lot of angry customers that can't send mail or its delayed.

Hello,


after 2 days and no answer!


spammer use my server daily .. any help?



sendmail stopped writting Logs ... how can i make it start writing again?


can i configure EXIM not to send messages to exact email address?

Advice: ignore the sendmail log for right now, as there are other ways to catch spammers.

When you see all those sendmail processes running, do you see any scripts running as well? If so,

locate (scriptname) (or you can use a partial scriptname):

Example
locate formmail.pl - will find exact matches
locate formm - will find formmail.pl, formmail.cgi, and so on

Once you locate the script, chown it to root and chmod it to nonexecutable. You might have to kill off all the sendmail processes. Then, clean out /var/spool/exim/input as you'll probably find quite a bit of undeliverables in there. Then you can deal with the user in whatever way your AUP says you will.

Hi Annette

its so good idea .. but in spam ... the comannd line will show user as "nobody" and the command like:

/usr/sbin/sendmail address@domain.com -t



i think there are a wellknown spam programs .. so what the keyword we can use to catch the spammer folder ?

Scripts we've seen spammers using but that are also used legitimately by regular clients:

lstmrge.cgi
mailer.pl
prochat2.cgi
abuse of improperly configured formmail.pl scripts

and so on. What you're looking for in top is any script that seems out of place. Is there a copy of lstmrge.cgi running (or three or four, typically)? What looks like it might the culprit in spawning all those sendmail processes?

You have to be prepared to do detective work, especially if the spammer is using someone's formmail.pl script and just sending their junk through a form, a batch at a time. This latter won't really show up like the others - but when the abuse complaints start dropping in on you, you'll probably take the same stance we did and require that people use some other name for their form to mail scripts to avoid automatic harvesters from finding them so easily.

Hello Annette,

Just few seconds before typing this message, I suspended a client's account.. He was using lstmrge.cgi too

I am on a cobalt, so how do I now clear all the mails due to be delivered ?


Salam,
-Omair

Sendmail on that Raq? Check /var/spool/mqueue/qx (where x is some number assigned by the system). Items beginning with Q are headers, d are detail (the actual messages), and x the equivalent to msglog on other servers (the errors for undeliverables).

Annette .. 2Mhost .... you both are great (Annette .. bit more)


i found the **** spammer .. using "locate" commands


regards for alllllllllllllllllllllll