On Saturday 11 March 2006 04:25, NW7US, Tomas wrote: > My scripts are really buttoned down, those that I have written myself. > The perl scripts do use the CGI code, latest. And I do my own regex > stuff. I'll double-check my tests. I just don't yet see how the messages > are getting through. If I could figure out what script... I've got to > figure out some way to audit...
If you've got hosted domains, grep -r 'mail(' /path/to/webroots :) It'll at least give you a starting list of scripts that use mail(). Then, using that list of scripts, build a script that can check your web server access logs - either in real time or post-mortem. Cross reference the header injection times with the results from the log search and you'll have a rough idea of which scripts were responsible.