Hi Colin, > Looking for ideas. > > We suspect we have a compromised website on one of our servers – being > used for spam. > > What is the easiest way to track this down? Can see spam being sent via > localhost but can’t pin it down.
Do you have a half way recent AV-SPAM installed on it? Version 6.1.0 or better? The most recent one is 6.2.1. Under "Network Settings" / "AV-SPAM" / "Services" see if "Milter-GeoIP" is enabled. If not, turn it on. Then in the "GeoIP" tab tick the boxes for "Suspend Accounts" and "Enforce Email Limits". Set the limits for "Service Accounts", "Virtual Sites" and "Users" as per your liking. You can still change them to different settings for each individual Vsite and User, but these will be the initial (default) values that will be used once this feature is enabled. Milter-GeoIP will now track the email volume (outgoing) of your server and will help you to pinpoint who sends how much. As this ties into Sendmail it'll give you the actual user names under which the outgoing emails are created. Under "Usage Information" / "Email" you will see "Email Traffic as reported by Milter-GeoIP". If the culprit is a certain User of a Vsite, then you can directly see this there once some activity has been recorded by Milter-GeoIP. Additionally: Once a user is close to sending more emails than allowed (>75% of allowed usage), both you and the user will get a warning. If he reaches his hard daily limit for outgoing emails, then no further email can be sent by him and another warning is generated. Lastly: If a user with valid login details tries to send email from blacklisted a country, then Milter-GeoIP can either block that or even suspend the account automatically if you configure this. But it at least generates a warning if valid login details are used from suspicious countries. Now if the culprit is a system account such as "apache"? Milter-GeoIP will tell you as well and also enforces limits and cutoffs on that. If all Vsites run their PHP scripts as a siteAdmin of a Vsite and one of their PHP scripts creates the SPAM? In that case the offender will be the name of the siteAdmin account of that Vsite, which makes it easy to find. Most of this doesn't outright stop the sending of SPAM, but it raises the yellow and red flag early and lets you know if something fishy happens. Additionally it aids in identifying the culprit and limiting the volume of SPAM that he might get out. As some mentioned already: There are sneaky ways of sending outgoing emails. But if it runs through Sendmail, then Milter-GeoIP will see this and will report it. It doesn't catch those cases where a compromise brought its own SMTP-mechanism aboard which bypasses Sendmail, though. But these are sufficiently rare anyway. And as always: If you need a hand, send me the login details offlist and I'll take the shotgun and shovel to this case. ;-) -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx