Grant Peel wrote:
> I am thinking a script on one of my servers has a security hole in it. A few
> days ago, the server started sending out huge amounts of spam. I am yet to
> find the culprit.
>
> In the mean time, I am seeing thousands of mailq entries like:
>
> 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= www@??? U=www P=local
> S=2625 T="God Has Chosen You" from <www@???> for
> junebug7004@???
>
> I am thinking that I would like to temporarily disble apache's sending of
> email (from FormMail scripts), until I can track down the offending script.
>
> Is there a way I can do it in Exim's configure?
Shove this (untested) in your data acl:
deny condition = ${if eq{$sender_ident}{www}}
message = Apache isn't allowed to send email
That'll prevent mail being sent from Apache using the executable. If you
have an ident service available locally as well, it'll prevent scripts
from connecting via tcp to the smtp server to send mail.
This is likely indicative of a bad problem though. You probably have a
cgi/php script that is being abused. Possibly allowing the hacker to
execute arbitrary code on your server.
Maybe you should look into the open source project
http://www.modsecurity.org/ for Apache. It will prevent many of these
sorts of attacks by default, and provide extensive logging information
that can be used to track down abused scripts.
Mike
