Postfix and web script security HELP?!

Hello all,

I've secured my server as far as outside connections to SMTP using it as a spam relay -- it passes all the tests at http://www.abuse.net/ and has been running without issue for over a year now.

However, I've recently been attacked by some spammer who has found a way, I assume via web script, to send buttloads of spam from my server.

I cannot figure out with postfix's logging how to determine WHAT script may be triggering it out of the 30 some odd sites I host. I ran a "locate" on .cgi and .pl files within web directories, and found nothing that looks suspect. php files on the other hand are quite ubiquitous. However, I know what packages people have installed for the most part:

phpbb (newest version)
oscommerce (newest version I think)
xoops (newest version)

I can't find any documented exploits on ANY of these as far as spam is concerned. There's SQL injection concerns in one or two places, but I've made sure my users have patched for that.


How can I determine WHAT script it is that's sending mail? Is there a way to set up postfix to log the calling script?

This is causing me a world of trouble, as hotmail now tosses ALL mail from my server into "junk mail", and mail sent from my server to AOL users is either vastly delayed, or lost altogether. This just started yesterday and I can't figure out what's going on. The logs postfix has are very NOT informative. I tried starting postfix by doing a postfix -v start and the logs look no more "verbose" than they already are.

Thanks for any help anyone can offer...


Oh, my apache runs as www, and spam bounces are coming to www@my.server.com -- hence my being pretty certain that it's a web script causing this.

 

 

 

 

Top