There are lots of services out there to check if your server is used as an open proxy. You can also check blacklist services to see if you're listed. Also check your logs /var/log and the mailq . If it's a local user spamming you should discover what is being abused, is it a site with bad php mail forms or something? Start with the logs!
Hi, first thank's for reply. For now i'm not in any blacklist. Searching in logs i found that emails are sent from an email account that does not exist on my server. This makes me think that the emails are sent from a php script. Is this true? If true, how can you locate the script corrupt? On this server there is only my pages.
There is a chance that it is a rogue php or cgi script but most likely your mail server could be configured as an open relay. A site to check that is http://www.dnsqueries.com/en/ . Just use their SMTP checker. There are other sites that do this as well. Another useful site could be: http://www.spamhelp.org/shopenrelay/ As for finding php scripts that are insecure you could try a command like: Code: find /var/www/ -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/maillist.log Then look at all the instances of 'mail' in your scripts and see if anything looks insecure. Good luck.
I got the same problem! but Does not work! I have Debian etch. How can i locate weaknesses in php scripts? if the above does not work? It simply doesnt return anything. Best regards Mike
The above comand line will scan all .php files, and look for the mail command. When found it will dump the file name, and code in a file named "maillist.log" Like lano mentioned the file "maillist.log" should be in the root. If you can not find the file in the /root dir, than you can run "updatedb" and after that do a "locate maillist.log" Please note that when a .php file is encrypted, it will not find the 'mail' function.
