Have you tried looking in the assp log at using the timestamp? In this example below the receive time was "Sat, 8 Aug 2009 04:12:01 -0400" so I would look in assp/logs/maillog.txt for "Aug-8-09 04:12" (forget the seconds and shoot for the minute or previous minute). Then I'd scan forward thru that two minute period. Anything that connects to ASSP logs something like this: Aug-8-09 00:44:37 [Worker_1] Connected: 93.113.162.195:4412 -> 8.1.2.3:25 -> 127.0.0.1:125 That would show if the bad guys emailed through assp or are going around it via your webserver/php etc. Note that if they are ingenious haxors they would inject into 127.0.0.1:10025 because it is the example post spam filter port. I would also take a look at my webaccess logs for the timestamp. See if there is a PUT or POST in that minute, check the link is legal. If you have other external services which could be misused by spammers, check those logs in that 2 minute time-frame. You should find a link via timestamps unless your server is completely compromised.
I've been there - due to the secretary believing she didn't need to update anti-virus. She PC was taken over and the hacker watch all the traffic in the ISP LAN where he got both sides of SSH conversations. He would get on a clean new server with in 2 minutes of me putting it on the network which made me suspcious. I ran a port scan of all the office computers and found the infested PC. Things went better after that. Al On Aug 8, 2009, at 6:53 AM, Trevor Jacques wrote: > Here are four new, recent examples of the problem (there should be > assp headers on all of them). From what I can tell there is more than > one source, and they're coming into more than one virtual domain. > > Return-Path: <jonat...@e-fta.co.kr> > Received: from My.MXDomain.com ([unix socket]) > by My.MXDomain.com (Cyrus v2.3.8-OS X Server 10.5: 9G69) with > LMTPA; > Sat, 08 Aug 2009 04:12:09 -0400 > X-Sieve: CMU Sieve 2.3 > Received: from localhost (localhost [127.0.0.1]) > by My.MXDomain.com (Postfix) with ESMTP id 44CBAB6AB15 > for <webmas...@mydomain1.com>; Sat, 8 Aug 2009 04:12:07 -0400 (EDT) > X-Virus-Scanned: amavisd-new at MyServer.com > Received: from My.MXDomain.com ([127.0.0.1]) > by localhost (My.MXDomain.com [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id VpbA1fEKe0qh for <webmas...@mydomain1.com>; > Sat, 8 Aug 2009 04:12:04 -0400 (EDT) > Received: from mail.e-fta.co.kr (localhost [127.0.0.1]) > by My.MXDomain.com (Postfix) with ESMTP id 4C700B6AB09 > for <webmas...@mydomain1.com>; Sat, 8 Aug 2009 04:12:01 -0400 (EDT) > Received: from mail.e-fta.co.kr (bear [127.0.0.1]) > by mail.e-fta.co.kr (8.13.1/8.13.1) with ESMTP id n786hceu024160 > for <webmas...@mydomain1.com>; Sat, 8 Aug 2009 15:43:39 +0900 > Received: (from e-...@localhost) > by mail.e-fta.co.kr (8.13.1/8.13.1/Submit) id n786hbWp024153 > for webmas...@mydomain1.com; Sat, 8 Aug 2009 15:43:37 +0900 > Date: Sat, 8 Aug 2009 15:43:37 +0900 > Message-Id: <200908080643.n786hbwp024...@mail.e-fta.co.kr> > X-Authentication-Warning: mail.e-fta.co.kr: e-fta set sender to > jonat...@e-fta.co.kr > using -f > To: <webmas...@mydomain1.com> > From: Jonathan Sim<s...@e-fta.co.kr> > Subject: [ALLWIN] Steam Car Wash > Content-type: text/html > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
