php mail function giving me head ache, is ASL 2.0 the soluti

benji · Unread post by **benji** » Tue Dec 04, 2007 5:19 pm

Hi,

I'm going nuts trying to figure out wich of the 200 websites has the webform that's allowing a spammer to use my server to send spam.

I've spent the whole day deleting messages from the queue, with all messages with subject "Essa voce precisa VER" , there where thousands of them.

I initialy started by stoping qmail-smtp service, that wouldnt stop him, then stoped apache, that did, then y disabled mail function for php: disable_functions=" ... mail ..."
then restarted apache service, after that, of course, all the forms on web's on my server are unable to send mail, but that stoped him!! finaly!

The question is, will ASL 2.0 help me adress a solution to this problem? Will it log, or show, which url or website is being injected by this spammer? If so, i'm buying subscription right away!, I need to solve this issue soon! :S

If not, have you got any advise for me? any way to look at all domains log's at once to try to find out wich form is getting hijacked?

My server is, Centos 4.5 64 bit, Plesk 8.2.1 (upgraded from 8.1.1 last sunday) Using php 4.3.9, and MySQL 4.x. I update regularly using "yum update"

Thank you very much.

Galactic Zero · Tue Dec 04, 2007 8:14 pm

I'd start by searching out the common names of mail scripts on the server. sendmail.pl formmail.pl etc.. Then isolate them one by one or do the opposite, kill them all and enable them one by one..

benji · Unread post by **benji** » Wed Dec 05, 2007 3:58 am

Thanks for replying,

That's a dificult thing to do.

I have more than 200 websites on this server, also, i dont know when will the spammer start attaking or stop atacking...

I/they dont use any pearl in any site, i do not allow it (from plesk), only php

Unread post by **scott** » Wed Dec 05, 2007 11:13 am

Sure, ASL might have a rule to catch this for you already. If not we could write one for you to do it.

benji · Unread post by **benji** » Wed Dec 05, 2007 12:08 pm

Hi Scott,

Couldnt wait for it , and i suscribed to ASL yesterday night, after an hour of opening this thread.

Seems like i've got rid of the spammer just by installing ASL right out the box. Install wast just a breeze, congrats!.

Also, i have checked out the wiki, and havent found much documentation, is there an extended documentation on how administer ASL? Where can i get more in deep info on all of this rulesets on the config files, i just dont get anything

.

Thanks scott. you saved me from that MAD SPAMMER

Unread post by **scott** » Wed Dec 05, 2007 5:17 pm

Working on it, every time I do something, ASL related or not, I'm putting it into the wiki. Organization still needs to be done, and I've got a mountain of little things waiting to go into the next mod_sec update. Theres a different group working on the web stuff, and documentation. I always pass these comments on to them to see what we can do.