My server is used to send spam

Discussion in 'General' started by esezako, Mar 25, 2009.

  1. esezako

    esezako Member

    Are using my server to send spam.
    How I can start to look if there is something wrong?
  2. Norman

    Norman Member HowtoForge Supporter

    There are lots of services out there to check if your server is used as an open proxy.

    You can also check blacklist services to see if you're listed.

    Also check your logs /var/log

    and the mailq .

    If it's a local user spamming you should discover what is being abused, is it a site with bad php mail forms or something?

    Start with the logs!
  3. esezako

    esezako Member

    Hi, first thank's for reply.

    For now i'm not in any blacklist.
    Searching in logs i found that emails are sent from an email account that does not exist on my server. This makes me think that the emails are sent from a php script. Is this true?
    If true, how can you locate the script corrupt?

    On this server there is only my pages.
  4. bluethunder82

    bluethunder82 Member

    There is a chance that it is a rogue php or cgi script but most likely your mail server could be configured as an open relay.

    A site to check that is . Just use their SMTP checker. There are other sites that do this as well.

    Another useful site could be:

    As for finding php scripts that are insecure you could try a command like:
    find /var/www/ -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/maillist.log
    Then look at all the instances of 'mail' in your scripts and see if anything looks insecure.

    Good luck.
  5. mickeb

    mickeb New Member

    I got the same problem!

    Does not work! I have Debian etch. How can i locate weaknesses in php scripts? if the above does not work? It simply doesnt return anything.

    Best regards Mike
  6. lano

    lano Member

    Your logs are generated in directory, where you execute find command. Usualy in /root
  7. edge

    edge Active Member Moderator

    The above comand line will scan all .php files, and look for the mail command.
    When found it will dump the file name, and code in a file named "maillist.log"
    Like lano mentioned the file "maillist.log" should be in the root.

    If you can not find the file in the /root dir, than you can run "updatedb" and after that do a "locate maillist.log"

    Please note that when a .php file is encrypted, it will not find the 'mail' function.
    Last edited: Mar 30, 2009

Share This Page