On Monday 07 September 2009 07:25:52 Martina Tomisova wrote:
> I'm analyzing logs to find the spam source and I've understood
> that if someone sends the message, one of the first lines written
> to the log file is a line containing the queue id and
> 'client=IP_ADDRESS'.
This is only true if the mail came in through smtpd(8).
> But not every time. Actually this line is missing just in cases
> the spam is sent. :) How's that possible? Any ideas how can I get
> the IP address of the sender in such case?
It's possible, and common in the case of server compromises, for
malware running on your own machine to be spewing spam using
sendmail(1) submission. In that case, the first log you would see is
like this:
Sep 6 11:17:42 chestnut postfix/pickup[10567]: 974581C02EF9:
uid=1000 from=<r...@gmx.co.uk>
In many of these that I have seen, the machine itself is not under
control of the attacker; it is merely an exploited PHP Web script
being used for spam. If you were rooted, your logs would typically
have no evidence of the abuse which is taking place.
Do note, all this is mere speculation in your case, since you
failed to follow the list guidelines (in the welcome message and
DEBUG_README) by not posting the logging in question.
If, however, my guess was right, I highly recommend that you stop
Postfix and your httpd+PHP immediately, before any more damage is
done. You might already be blacklisted.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
