On Saturday 11 March 2006 04:25, NW7US, Tomas wrote:
> My scripts are really buttoned down, those that I have written myself.
> The perl scripts do use the CGI code, latest. And I do my own regex
> stuff. I'll double-check my tests. I just don't yet see how the messages
> are getting through. If I could figure out what script... I've got to
> figure out some way to audit...
If you've got hosted domains, grep -r 'mail(' /path/to/webroots :) It'll
at least give you a starting list of scripts that use mail().
Then, using that list of scripts, build a script that can check your web
server access logs - either in real time or post-mortem. Cross reference the
header injection times with the results from the log search and you'll have a
rough idea of which scripts were responsible.
