Slow Spamming - Familiar?
I am currently investigating a rather atypical (at least for us) spam problem. I think I have found the source. In a users crontab, there is an entry saying:
* * * * * ab -n 99999999999999999999999999 -c 5000 http://www.mangaforums.org/
The /sbin/initlog appears to be the one calling sendmail and mailnull is used as the identity. When I remove it, the spamming stops, when it is reentered, it starts again.
We have a limit of 300 mails per hour, but they are sending far less than that (around 30 per hour - of which about 5 returns an undeliverable message). The only reason we noticed was because of the slow but steadily increasing mail queue. All reply-to domains appear to be centered around the word "reply" (replyswiftly, turboreply, etc.).
Have any of you experienced this before? Do you know what the crontab entry fetches? Do I have any reason to believe that the /sbin/initlog file has been compromised, or is this the normal caller of sendmail?
Thanks in advance!
