spam through user qscand

[tema]

Following the ART guidelines here (http://www.atomicorp.com/wiki/index.php/Spam) it turns out that the compromised user is qscand. Looking through /var/clamav i can see plenty of files that are not supposed to be there and look to have been created by an outside source.
Any suggestions?

Using COS5/Plesk8.6/pyzor/razor/qgreylist/clamav etc. all the usual stuff from the atomic respository.

[tema]

Spam is being sent through the server using the following user:

qscand10112:103:Qmail-Scanner Account:/var/spool/qscan:/bin/false

Any ideas on how I can stop this?

[breun]

What exactly makes you think that qscand is sending spam? This is actually the user that runs your spam and virus filtering. And what kind of files are you seeing in /var/clamav that are not supposed to be there?

[tema]

Problem now sorted!

Breun, you were right. It made me go back (with a clear head) and look again at what was going on. Using the guidelines I was able to isolate the spam message headers:

Code: Select all

Received: (qmail 1156 invoked by uid 10112); 6 Aug 2009 18:43:46 +0100
Received: from  by server.domain.com (envelope-from <mailbox@domain.com>, uid 48) with qmail-scanner-2.06st 

I looked up the uid 10112, and it belonged to qscand. What I should have been looking up was uid 48, which was the true source of the spam. This turned out to be a compromised account, whose password has now been changed to something better!

With regards to the qscand trail, I looked in /var/clamav/ and I saw files such as lott.hdb, phish.hdb, honeypot.hdb etc. which (I believed) I hadn't seen before and assumed that they were installed through a compromised login. Have since found out that they are signature databases for ClamAV.

Thanks, Breun.