etc... How do they manage to do that? Sendmail is set to require authentication for SMTP, and the access file in /etc/mail is not set to allow RELAYING for anyone other than localhost. The only users on the box are 2 family members, did their accounts get hacked? How do I determine which user the email is set through?
Looks like formmail scripts weren't the problem. This morning the spam was coming through, I tried chmod'ing the scrtipts to 000 and it didn't stop the deluge, nor did shutting off the http daemon alltogether, so it's happening through sendmail itself. Stopping the sendmail daemon is my only option for now.
Like I said, it's set up for password authentication, and I tried changing all users' passwords but to no avail.
The only email that needs to be sent from the server comes from perl scripts, and I could do without the ability to relay email from outside the server itself. How do I set this up? I've got MailScanner installed.
OK, I shut off SMTP authentication and disallowed relaying from anywhere. But this seems to be the header from one of the spams:
Return-Path: <[email protected]>
Received: from grsites.com (localhost.domain [127.0.0.1])
by grsites.com (8.12.10/8.12.10) with ESMTP id i2SNSHlT022248;
Sun, 28 Mar 2004 18:34:05 -0500
Received: (from [email protected])
by grsites.com (8.12.10/8.12.10/Submit) id i2SJKjWM019072;
Sun, 28 Mar 2004 14:20:45 -0500
Date: Sun, 28 Mar 2004 14:20:45 -0500
Message-Id: <[email protected]>
To: [email protected]
From: [email protected]
Subject: Dont miss this trade . VqehC cw9Mhg ZEE1Q 3Hs
Judging by the headers its coming from your webserver ([email protected]) which would indicate it is probably coming from a perl/PHP script of some sort. As for tracing it, first try top and see if you can see anything that looks suspicious (although this wont show PHP scripts if they aren't run as cgis), then I guess try the /server-status bit built into apache to see what is being accessed, and if that still fails - start checking your web logs to try and find it.
I got a similar problem on my hosting machine. Tons of email were sent out from my own domain, so my host had to suspend my account. I have changed my password, and also advised my host to disable formmail.pl script, but yesterday it came back again. Now, all my domains are suspended again
I am waiting for the solution from my host, and in the meantime, I am prepareing to move my domains to a new hosting machine to see whether it was caused by the machine set up or not. Man, what a headache caused by those crazy bastards.
thelinuxguy --- adding this directive to php.ini is as "Prevent the user 'nobody' from sending out mail to remote addresses" inside the WHM-> Tweak Settings ?
BTW: if i check the "Prevent the user 'nobody' from sending out mail to remote addresses" in WHM and have a few users i trust, how do i chown there dir to let them use a php mail script ?
And do i have to chown "username" there script who sends e-mail or ther entire directory?
As I said, I didn't use formmail, and I heard of the problems with formmail before. I wrote my own one based on the example on the O'Rily book. I have to disable this code right now, but in case I want to use a form to send email, what's the best solution?