Bingo, that one did the trick. I didn't realize that qmail's sendmail binary was calling on qmail-inject. After putting that wrapper in place I was able to find some old cgi script that was being exploited and have now disabled it. Again, thanks so much. This actually allowed me to fix another nasty problem I was having on a different mail server where customers would occasionally "bulk" mail a bunch of users and tracing them down was typically very difficult. Now I'll be able to track this much easier, thanks so much!
-Clayton -----Original Message----- From: Lars Uhlmann [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 12:00 PM To: vchkpw@inter7.com Subject: Re: [vchkpw] OT, but abuse related On Tue, 27 Sep 2005 09:52:39 -0700 "Clayton Weise" <[EMAIL PROTECTED]> wrote: > I know this is way off topic, but there are a lot of really smart > people on this list so I'm hoping to get some ideas here. I've got a > web server that has some kind of formmail-esque script that is being > horribly abused but I can't find it. The server (shut down qmail-send > on it for now) is spewing out messages by the hundreds, if not > thousands, and I can't seem to center down on which site has the > offending script. Again, it's pretty off topic but I'm just looking > for some help here... please. To get the path of the script whose sending mail you could do this: Write a wrapper for qmail-inject. From within the wrapper you'll find the path of the caller script in the environment variable $PWD (assuming bourne[again]shell) here is a wrapper example: ,-----[ qmail-inject.wrapper ] | #! /bin/bash | | ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original | RETURN_PATH="[EMAIL PROTECTED]" | TMPFILE=`tempfile` | DATETIME=`date "+%d.%m.%Y %H:%M:%S"` | | # send desired information to myself | # first the mail header | echo "From: [EMAIL PROTECTED]" >$TMPFILE | echo "To: [EMAIL PROTECTED]" >>$TMPFILE | echo -ne "Subject: [$DATETIME] something meaningful\n\n" >>$TMPFILE | | # now the message body | echo -e "PWD: $PWD\n" >>$TMPFILE | echo -e "\n----- original e-mail below -----\n" >>$TMPFILE | | # save the original message for our mail and pass ist on to the real qmail-inject | tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH | | # send the log mail | $ORIG-INJECT < $TMPFILE | rm -f $TMPFILE | | # local logging | /usr/bin/logger -p mail.info -t qmail-wrapper "command line parameters: $*" `----- Don't forget to change the symbolic link "/usr/sbin/sendmail" (normally linked to "$QMAILDIR/bin/sendmail") to "$QMAILDIR/bin/qmail-inject". If the link stays unchanged and the script uses "/usr/bin/sendmail" >qmail-inject< is invoked by $QMAILDIR/bin/sendmail and therefore "$PWD" will be equal to "$QMAILDIR/bin". HTH Lars