Cleaning spam out

I’ve seen my fair share of spam in my day, however in a lot of cases a server has a sysadmin that doesn’t quite know what to look for in order to track it down. In fact a lot of these machines are caught because they crash due to the load put on them. While my methods are probably not the best way of doing it, they do work and you can clean a queue out without just deleting everything and starting over. First thing’s first, on a CPanel/Exim (the most common setup you’ll see if you do CPanel hosting) we simply go into /var/spool/exim/input.  At this point you will see a bunch of directories, there should be about 62 here. The letters A through Z in both upper and lower case as well as 0 through 9. These are subcategories of mail. if we do

[root@dns01 input]: ls ./* -lh

here you will see a bunch of files that have -D and -H after them if your queue is being stuffed. If this is empty, then you may be spamming however at a lower rate. Now then, lets say that we happen to have a spamming problem, there are a few things we can do here. The first thing we need to do is isolate the source of the problem, if at all possible. After that removal of everything (directories and all) is an option especially if you’re doing low end or free shared hosting. If you have to preserve your ham though, you will have to clean. The first thing that needs to be done is to figure out what content is there. I prefer to view a few of these emails and find a topic in them. So lets say your email is about some Nigrian King who is poisoned. all we would have to do is run:

[root@dns01 input]: grep -ilr 'Nigeria' ./* > check

This will populate the file check with the names of the files containing “Nigeria” These are our probable spam messages. You may lose a few legitimate emails this way but the vast majority will be safe. If you use a phrase you are virtually assured that no legit emails will be deleted.

so we would do something like this:

[root@dns01 input]: sed -e 's/^/rm -f /' check

[root@dns01 input]: sed -e 's/\-D/\-\*/' check

[root@dns01 input]: chmod 755 check

[root@dns01 input]: ./check

This will go through and delete the emails and their associated headers. While this isn’t too hard, spammers are like mice, or roaches. Once they find a way in they are sure to be back. To this end we need to at least try and find the hole before we delete the evidence. We can actually take the messages and move them instead which would allow us to view at our convenience, or we can evaluate the headers in the input directory. There are two things I tend to look for.

  • Rogue PHP scripts
  • Open Relays

PHP scripts can be a hotbed of insecurity on many servers. Personally I’m not a fan of how a lot of people use or misuse them. This being said it’s a necessary evil because of how much function PHP adds to a site. This being said, the quickest and dirtiest thing to add is mail() headers. This can be done via Easy Apache or you can download the latest and greatest from http://choon.net/php-mail-header.php. This gives you something convenient to track with. Now then all you have to do is run

[root@dns01 input]: grep -ir php ./*

before you delete the email you will get every mention of the PHP file name in question. All you have to do is find the one(s) that have a lot of entries and they are either going to be for message boards or other lists or they are going to be spam scripts. Pretty simple.

In regards to open relays, just find a checker via your search engine of choice and go to town. Telnet can also make a fun checking tool to see if you can relay or not, but that is likewise another episode.

Leave a Reply

Your email address will not be published. Required fields are marked *