¶ Checking mailq
To find top of mailboxes use the following monster:
mailq | grep -oE "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" | sort | uniq -c | sort -rn | head -10 |
But sometimes mailboxes are different as they being spoofed. For such cases you can check top of users sending mails:
for i in $(mailq | grep -v "^[^0-9A-Za-z]\|^$" | awk '{print $1}' | awk -F '*' '{print $1}'); do grep $(postcat -q $i | grep "from userid" | grep -o [0-9]*) /etc/passwd | awk -F ":" '{print $1}' ; done | sort | uniq -c | sort -rn | head -7 |
¶ Determining SPAM source
¶ Useful tool
For shared machines you can use script, which will check the mail source and show you some info. It should cover 99% of the searching process:
/dh/bin/techops/mailq-scanner.pl |
Any other manual checking are described below.
¶ PHP script
When you've found spam mail - just check it
Well, again percentage - 99% will be spam with script. The example of email with header looks like:
email example
The string we are looking for is
X-PHP-Originating-Script: 15011841:nun.php(1) : eval()'d code |
where nun.php is the name of the script which was sending emails. It could be some malware or ordinary script that just was using in contact or any other form on the site. Usually, malware scripts have strange or uncommon filenames. Script which are using in form is called mostly like PHPMailer.php or something like contact.php etc.
¶ How to find SPAM script
Usually, user is defined in mailq output:
4HLPq32Xxhz3MZ 1100 Fri Oct 1 02:25:35 wahsingng@blout.dreamhost.com |
where wahsingng is the name of the user on the server. If user isn't defined there - the other option is to check for domain in headers:
Message-ID: <ed120f2dc535fd3033da8b025d4c463f@ngplanning.com> |
where ngplanning.com will be our domain. Then you can find path to the docroot with dh-domain.
Once you have user - use find:
find /home/$user -type f -name "$php_script" |
Just to be sure it's malware or normal site's script - check its contents.
¶ Not a script?
Well, then it was sent thru some malware on the server itself. It could be someting like
|
|
¶ What to do with spammers
First of all - our main goal is not to block entire site/user but to block the script/form while it's possible.
¶ Malware script
If you found malware script- probably there is more there. Try to search for them.
For wp sites you could use wp-cli to verify checksums:
|
|
For script which would be found with ^ it's highly recommended to check manually all of them to be sure they are malware/vulnerable scripts.
In case of manual searching - looking at the same dir where script was found is enough.
After you found all of them - slurp them,
slurp-malware.pl -s $server -f /full/path/to/script |
then rename particular script which sending SPAM:
mv /home/$user/$domain/$path_to_script /home/$user/$domain/$path_to_script_DISABLED_FOR_SPAM-$initials |
where initials - two letters. Example - Neil Armstrong = na
After that - run scanning.
sc --schedule --channel=techops yakko scanner scan -c -C -k -Q -l deep -m $server -u $user |
Also - check the logs for POST to the site:
grep POST /home/$user/logs/$site/https/access.log | tail -20 |
if requests are proceeding from one src IP - it's reasonable also firewall this IP for the whole cluster:
firewall.pl -a add -H dh-homie-host -s $IP -c "Sending SPAM on $site" |
and clean the queue
postsuper -d ALL |
¶ If site contains ton of malware
If you see a lot of malware scripts on the site - better to block the whole site at all.
Disable it with renaming
mv /home/$user/$site /home/$user/$site_DISABLED_BY_DREAMHOST_FOR_SPAM-$initiales |
clean the queue
postsuper -d ALL |
and let customer know:
/dh/bin/techops/send_customer_email.pl --template spam_generic_domain --domain $domain --comment "Spam from malware. Site is totally broken. Please, recheck with nightmarelabs before enabling back" |
¶ SPAM sent from the form on the site
If you see spam is sending from the script which called PHPMailer.php or contact.php or something similar - check the logs for the POST requests:
grep POST /home/$user/logs/$site/https/access.log | tail -20 |
you should find the page to which requests are processing.
¶ If page in POST without additional parameters
Such pages generally looks like site.com/contact . If you see POSTs to such pages - add redirect in .htaccess:
|
|
if requests are proceeding from one src IP - it's reasonable also firewall this IP for the whole cluster:
firewall.pl -a add -H dh-homie-host -s $IP -c "Sending SPAM on $site" |
Just firewalling IP is not enough. Usually spam continuing from the another IP, so make sure you've also added redirect in .htaccess.
Then clean the queue
postsuper -d ALL |
And notify customer with
/dh/bin/techops/send_customer_email.pl --template spam_generic_domain --domain $domain --comment "Spam from bots. Suggest using captcha on form on page $link . I've added redirect in .htaccess to prevent new SPAM" |
¶ If page in POST with additional parameters
Such pages generally looks like site.com/index.php&option=123 . If you see POSTs to such pages - add similar redirect in .htaccess:
|
|
if requests are proceeding from one src IP - it's reasonable also firewall this IP for the whole cluster:
firewall.pl -a add -H dh-homie-host -s $IP -c "Sending SPAM on $site" |
Just firewalling IP is not enough. Usually spam continuing from the another IP, so make sure you've also added redirect in .htaccess.
Then clean the queue:
postsuper -d ALL |
And notify customer with
/dh/bin/techops/send_customer_email.pl --template spam_generic_domain --domain $domain --comment "Spam from bots. Suggest using captcha on form on page $link . I've added redirect in .htaccess to prevent new SPAM" |
¶ If page in POST is /
In this case, unfortunately, there is no good way to add any redirect. If you know the scrip which is sending emails, like PHPMailer.php - just disable it with renaming
mv /home/$user/$site/PHPMailer.php /home/$user/$site/PHPMailer.php_DISABLED_BY_DREAMHOST_FOR_SPAM-$initiales |
clean the queue
postsuper -d ALL |
and let customer know:
/dh/bin/techops/send_customer_email.pl --template spam_generic_domain --domain $domain --comment "Spam from bots. Suggest using captcha on form on page $link . I've disabled $file to prevent new SPAM" |
¶ If form - general form on multiple pages (like comments on WP blog)
As comment form are usually exist on every article we can't just add some redirect as well. In this case - disable the script with renaming.
Better to disable most narrowly focused script. For example. for WordPress blog comments it better to disable wp-comments-post.php rather than PHPMailer.php (as it could be used not only for comments), to minimize the impact.