Saturday, January 29, 2011

How to check my linux server isn't spamming

I'm worried about dodgy php scripts or other malicious software on my linux server sending out spam. Or maybe I left an open relay

What are the ways to check I'm not sending any spam out?

From serverfault aidan

  • One of the easiest ways is to check your /var/log/maillog (default location) to see if it's sending out mail that you're not expecting.

    aidan : That's exactly what I'm looking for, Thanks! (strangely, that file doesn't exist on my server though)
    AliGibbs : Well- depending on your setup, it might be elsewhere (try a search)- else, could it be that you haven't sent any mail yet?
    aidan : might be mail.log in ubuntu. looks clear.
    AliGibbs : Looking at https://help.ubuntu.com/8.04/serverguide/C/postfix.html it does seem that the default mail location is /var/log/mail.log Might be worth writing a test php mail script (or I have one if you want) to check its logging to this location
    Jacek Konieczny : The MTA (mail transfer agent) installed on the server may not be used at all, and the spam may still be sent from the machine by other means: e.g. misconfigured proxy server or malicious software running on the machine and sending the emails directly (not using local MTA).
    From AliGibbs

  • I've used abuse.net in the past to check that my server is not an open relay.

    Not used it for a while though, but gotta be worth a quick test if you're worried/unsure.

    aidan : That's a useful link to have. Using it now. thanks.
    From Grhm

  • Do you have PHP scripts on your server that make use of email? Make damn sure that those don't allow visitors to specify the address that mail is sent to. That means not having To fields in forms that create email.

    That alone is not enough, as spammers can inject mail headers into poorly written mailer scripts. Check out http://www.alt-php-faq.org/local/115/ for a discussion on this.

    You may not have control of all the scripts on your server, so you may want to read http://ilia.ws/archives/149-mail-logging-for-PHP.html which gives details of a PHP extension which logs all use of the mail function. That will give you a specific place to look for PHP related mail activity, which may be useful if you also send mail legitimately from this server.

    From dunxd

  • The best way is to monitor traffic generated by the machine. This may show if something suspicious is happening no matter what is the source of the spam (is that badly configured mail server, badly configured proxy or some malicious software). Especially take look at outgoing connections to port 25. If you can see much more such connection than mails the machine is supposed to send, then the machine is probably abuse. But closer inspection you can also find many 'MX' queries (sent to find victims' name servers) or suspicious incoming connections (used to control a 'trojan horse' software).

    Next step is to find the abused service and fix it.

    aidan : Sounds good. What's a good way of monitoring the traffic on port 25? Wireshark? (I've only got a CLI - no GUI)
    Jacek Konieczny : Anything will do. Wireshark (it has simple text interface too), tcpdump (you can write a dump file, and then open it somewhere else with Wireshark GUI), iptraf (will show what is going on 'on the wire' with quite visual form, sill text console).
    From Jacek Konieczny
Posted by Mu Cat at 5:40 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)