Clayton Weise wrote: >> Run it once, and dump to a file. Run it again a few minutes later >> and dump to a file. Do a diff -u on the file and you'll only see >> sites getting hits. > > Tried something similar but the interesting thing is that it isn't > getting a lot of hits but the messages that go out have a TON of > recipients. One message might have 500 RCPT TO's in it, but it only > gets tagged as one hit to the page. >
Grep the apache logs for POST. The referrer will often be left blank and makes them easy to spot. > -----Original Message----- > From: Tom Collins [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 27, 2005 10:15 AM > To: [email protected] > Subject: Re: [vchkpw] OT, but abuse related > > Assuming you're running VirtualHosts with apache, here's what I've > done in a similar situation. > > If your directory structure works for this, you can look at all of > the access logs for your virtual hosts: > > ls -l */*/logs/access_log > > Run it once, and dump to a file. Run it again a few minutes later > and dump to a file. Do a diff -u on the file and you'll only see > sites getting hits. Look for the ones with fast-growing log files, > and then manually examine those logs. Note that you might need to > look at the error_log as well, as there might be a script that > generates an error yet still sends the email. > > If your directory structure isn't organized well enough to find all > the access_log files, you'll have to write a script that goes through > your apache configuration files looking for the TransferLog (or > ErrorLog) setting, and check the size of the log. > > Another quick idea is to run `locate formmail` and `locate FormMail` > to spot some quick possibilities. > > Good luck.
