It is difficult to track nobody spammers from exim_mainlog file. You can’t get exactly that who is using your server to send spams. If you check php.ini file you will see that the mail service is set to /usr/sbin/sendmail and almost all mail scripts are in use the built in mail(); function for PHP.It means that everything is going through /usr/sbin/sendmail.
We will try to get these users in your Linux Servers.
1. Login to server as root.
2. For safe side turn off exim.
[root@server~]#/etc/init.d/exim stop
3. Backup /usr/sbin/sendmail file. [Your server is using Exim as MTA (Mail Transfer Agent), Exim will use sendfile for just a pointer actually].
[root@server~]#mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
4. Now we will create a spam monitoring script for the new sendmail programme.
[root@server~]#pico /usr/sbin/sendmail
Paste in the following:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD – @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
5. Change the permissions new sendmail.
[root@server~]#chmod +x /usr/sbin/sendmail
6. New log file to save history which using web mail scripts.
[root@server~]#touch /var/log/spam_log
[root@server~]#chmod 0777 /var/log/spam_log
7. Start Exim.
[root@server~]#/etc/init.d/exim start
8. Now try any formmail script or any mail script which uses mail function and monitor new log file (spam_log)
[root@server~]#tail – f /var/log/spam_log
It should give us output like this:
Mon Nov 15 11:00:00 EST 2008 – /home/username/public_html/directory/subdirectory/subsubdirectory – nobody x 99 99 Nobody / /sbin/nologin
9. Log Rotation: This file is not set to be rotated file so there is a possibility that the file comes very large soon in size. So do this,
[root@server~]#pico /etc/logrotate.conf
Find >>
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
Add >>
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
10. We will set attributes for new sendmail programme file so it will not get overwritten.
[root@server~]#chattr + i /usr/sbin/sendmail
Now we can get nobody spam users, Goodluck.
No comments:
Post a Comment