*Found em*ARGH!!!! I need to track down a spammer on our server

[Mucman]

This person is trying to send 50k emails (they are getting rejected because we are not an open relay). All these requests are swamping the mail server and causing it to crash.

The logs don't say which website is sending it so troubleshooting this is a b!tch

 

[Nothinman]

You're telling me the mail software doesn't log the IP that tried to send mail it rejected? Must be running Windows =)

Try just typing 'netstat' from the command line, should give you a list of IP connections and the offender probably has a large number of them.
Or if you have anyone with some programming background it would take much time to whip together a program that listens on port 25 and just logs all the connection attempts to a file, if he's really trying to send ~50,000 messages it'll be easy to spot him from the list of legitimate mailers.

What do you plan on doing when you do find out the IP of the abuser?

 

[Mucman]

God these logs suck!

The server has 200 websites (all have their own IP). How can I find out which website is using MS SMTP Service to send out this crap? The log files don't help and since they are using invalid domain names (which is why they do not get relayed) I have no clue which site it is.

Please help!

No searching has come up with an good ways to troubleshoot this.

 

[Drakkhen]

The server has 200 websites?

The logs that exist under \winnt\system32\logs\ should show you any failures to relay, as long as logging is turned on under the smtp service.

Just to clarify, what version OS are you running?

 

[Mucman]

The problem is that SMTP uses the default website IP to send mail... so everything goes out through the servers first IP. This doesn't help when there is an
entire class C on there

 

[Mucman]

Yeah I know but it doesn't say which IP it is... Both mail and WWW servers are running NT4 SP6

Here is what one line in the log file shows
03:00:51 NDR Thread NDR message User+alder@hehe.com+in+file+002c50600210a12WWW4.eml+was+NDRed+to+file+004395100030b12WWW4.eml 0

 

[Mucman]

bump

 

[Mucman]

After looking through hundreds of W3SVC logs we found the culprits. Some 1337 h4x0rs are using formmail.pl using GET and POST .

So our clients aren't doing it but some script kiddiots are scanning for formail.pl and running it (even though it's not working).

 

[Saltin]

<< You're telling me the mail software doesn't log the IP that tried to send mail it rejected? Must be running Windows >>



DO YOU HAVE TO TROLL LIKE THIS NOTHINMAN?
I'm sick of it.
You know SFA about it anyhow.

 

[Thor86]

Hehe Saltin.

 

[Mucman]

Take it easy on Nothingman! He has helped me a lot on this forum. So what if he is a little biased, at least he has some valid reasons.

Let's focus our anger on the stupid spammers out there!!!

 

[Nothinman]

DO YOU HAVE TO TROLL LIKE THIS NOTHINMAN?
I'm sick of it.

But you didn't contest my claim, or offer him any help. And you have to admit that in general Windows programs don't create detailed enough logs.

You know SFA about it anyhow.

SFA?

 

[Mucman]

$h!t fark 4ll in leet speak