On Thu, 25 Mar 2010 22:13:05 -0600 Josh Cason <joc...@mychoice.cc> wrote:
> So when I type grep the original message. In this case as > listed above. It list the server ip number as comming in with some > outside e-mail address we don't have. If it's coming from the server IP or localhost, you've most likely got some naughty CGI/PHP/whatever script on your server generating it. (Or someone has a shell account and doing it, but that's rare these days.) Is there a web server on this machine? Do you allow users to run PHP or CGI? Are you running a webmail package of some sort and have users that think it's wise to send their credentials to Nigeria? Look at log entries in your web server access logs to see if somoene is loading a suspicious looking page around this time (grep for 'POST' in the logs to narrow it down).
