Hi,

I have a red hat server and someone is spamming it using formmail. I am about to get rid of the formmail script and use a secure script, but in the meantime, I wanted to know, if there is a way I can find out which particular formmail is being spammed. All of the user's access_logs are within their directory and I was thinking was there a grep command I can run to search my /home directory and try to use a phrase from the email body that is being sent out. I have this becasue spamcop sent it to me.

Would this put too much of a load on my server? What is the best way to find out which script is being spammed?

Any help would be appreciated. Thanks in advance.

we had this issue

try to get a recipient of spam to send you an email they received, open the headers and look


also login ssh and type locate formmail

it will show all your users with that script

contact them and tell em to change the name of the script, set the referrs, or get rid of it..

lastly visit spamcop.net and see if your listed

I looked at the header and since it was sent as apache, I could not tell where it was coming from. Yes, I plan to get rid of the script all together, but I want to know if there is some command where I can find which formmail is actually being spammed.

I have the body of the email, so I have a phrase I can search for.

Maybe some type of grep command?

maybe you can do an egrep on the sendmail logs or your mail servers log, searching for one of the spammed email addresses.

You could do something like this....

grep -l "phrase to find" `find /home/*/logs -name access_log`

you would obviously want to change the parameters to fit your situation.

Try to see what the UID of the sender was and match it with someone in /etc/passwd

do cat /etc/passwd | grep <all uid's found in header> to see if it matches with a particular user.

Hi,

When I tried to do a grep, it gave me this output:
[root@server1 /root]# grep "Pattern" /home/*/log -name access_log > results
grep: invalid max count

Also where is the UID in the header, I saw:
XUID: 7552

but that number was not in my /etc/passwd file.

Please help?

Originally posted by omnistar
Hi,

When I tried to do a grep, it gave me this output:
[root@server1 /root]# grep "Pattern" /home/*/log -name access_log > results
grep: invalid max count

Also where is the UID in the header, I saw:
XUID: 7552

but that number was not in my /etc/passwd file.

Please help?

Was that bold line the actual one you used? It doesn't look anything like the one I suggested.

Hi,

Thanks for your reply. I had tried your suggestion and I got the same error.

what about the uid number? where is that at in the header?

Thanks

Paste this into a text file that you call locatefm.pl and run it
by typing 'perl locatefm.pl'. This script will locate all files called
FormMail.* (and formmail.*), then it makes sure that it's from
Matt's Script Archive and displays a list.

I have a script that change permissions to 000 automaticly if
anyone is interested. This script can for instance run daily from
cron.

#!/usr/bin/perl

use strict;

my @output = qx(locate *orm*ail.*);

foreach my $file (@output) {
my $ok = 0;
chomp $file;
open(FILE, "< $file") or die;
while (my $line = <FILE>) {
if ($line =~ /matt wright/i) {
$ok = 1;
last;
}
}
close FILE;
if ($ok) {
print "From Matt's: $file\n";
}
}

Originally posted by omnistar
Hi,

Thanks for your reply. I had tried your suggestion and I got the same error.

what about the uid number? where is that at in the header?

Thanks
Did you place backticks around the `find ...` command. Try to copy/paste to make sure.

Originally posted by erik

I have a script that change permissions to 000 automaticly if
anyone is interested. This script can for instance run daily from
cron.



THis would be very interesting if you're able to specify to only disable scripts from version 1.6 for example. These are extremely vulnarable for spam.
Can you do this??

I'm sure it can be done just by modifying this script a little bit,
but I don't have the 1.6 version available so I'm not sure what
to search for.

Just modify line 8 and the script will use whatever you replace
"matt wright" with to determine whether to disable the formmail
script or not.

However, I disable later versions also because of several security
flaws in these too. I ask all users to convert to NMS instead (just like Matt Wright does ;-))

my @output = qx(locate *orm*ail.*);

foreach my $file (@output) {
my $ok = 0;
chomp $file;
open(FILE, "< $file") or die;
while (my $line = <FILE>) {
if ($line =~ /matt wright/i) {
$ok = 1;
last;
}
}
close FILE;
if ($ok) {
system("chmod","000","$file");
print "Disabled: $file\n";
}
}

try this:
cat /var/log/maillog |grep recipient
this should give you what you are looking for.

If you're using suexec, you can just look in your suexec log for a whole bunch of instances of formmail being executed. That'll tell you which account.

I posted a one line command to find copies of formmail and remove them if they weren't the latest version in this post:

http://www.webhostingtalk.com/showthread.php?threadid=40126

It could be modified, since there is a newer version of formmail out.

This will locate any vulnerable formmail scripts within /home and print to screen.
find /home \( -iname '*mail.cgi' -o -iname '*mail.pl' \) -type f -print | xargs grep -i 'Version 1.[0-8]'