Catching Spammers on Linux Servers

How to catch Spammers from the server:

Follow the steps given below to catch Spammers sending mails from scripts ( nobody emails ) :-

1. Edit /etc/exim.conf

2. On the second line add :

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection+queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Note - Make sure all that comes on a single line.

3. Save and exit.


4. Restart Exim.
if the spammer is not spamming using formmail scripts then go through following steps

:-

1 > Get the message ID from the header of the spam. It should be in format like

1DWJj4-00042i-74 ( this is the most important step else all thats given below is crap )

2 > grep exim_mainlog with the message ID ( Ex : grep 1DWJj4-00042i-74

/var/log/exim_mainlog )

Also you can install spamlogs on the server to catch nobody spammer:

Step 1)
Login to your server and su - to root.

Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the
sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {

print INFO "$date - $PWD - @infon";

}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server
using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that
uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005
- /home/username/public_html/directory/subdirectory - nobody x 99 99
Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large
quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get
overwritten.

Enjoy:)


If you need any assistance, We can provide you for a small fee. please email us mayur.c24@gmail.com

    0 comments: