Results 1 to 5 of 5
  1. #1
    Join Date
    Jun 2001
    Göttingen, Germany

    cobalt - spam - formmail : which user


    yesterday a spamer used my server, cobalt raq3, for spamming.
    I stopped sendmail and I am now checking all sites for a formmail script. I found 3 of them already.
    However, in the log, it is said that user
    xxxxxx is the sender of the mail:
    this is a part of the maillog:

    Oct 12 05:04:52 www sendmail[32393]: FAA32393: from=user-of-domain, size=2488, class=0, pri=2582488, nrcpts=86, msgid=<>, [email protected]

    ( real names are changed )

    I know that this user cannot be the one who sent the spams. Also, on the site this user manages, there is no formmail script. So why is there this user mentioned. Maybe his password is cracked?

    Any ideas are welcome


  2. #2
    Join Date
    Sep 2001
    Tampa, Florida
    help! someone is spamming using my raq 3 as well. found in a few do I find what account was compromised?

    Sean Caldwell
    Broadcast Voiceovers

  3. #3
    check your maillogs :

    tail -f /var/log/messages

    Then do locate all formmails and delete them

  4. #4
    Join Date
    Jun 2001
    Older versions of FormMail are prone to being spammed off.

    What you can do is:

    1. tell your clients to upgrade to the newest formmail
    2. tell your clients to rename the current file to something else. This is because spammers search for the exact phrase via search engines to locate spam easy accounts.

    Precautions are just to locate or renamed versions of the scripts on the server. Inform client.

    Make sure POP before SMTP is enabled on the server.

    As for the question above, off course you will see the username as the sender, this is because the user uploaded the file and it has his ownership for the file.

    Hope this helps.
    The account is not compromised BTW.....its just a bug in older versions of FormMail which allows spammers to spam right off the website.

  5. #5
    You can also check you access log /var/log/httpd/access

    Just look for the and it will show you which site it is coming from.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts