To identify PHP Spam when running PHP 5.3 or higher: (Please note the variables below are not enabled by default in php.ini) utilize the following php.ini variable to narrow down the offending script.<\/p>\n
If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines: X-PHP-Originating-Script:<\/strong><\/p>\n to the exim email header (the header variable should only show up when PHP does the sending). So, for example if you had a a PHP script sending from bad_script.php the header would look something like:<\/p>\n X-PHP-Originating-Script: 500:bad_script.php<\/strong><\/p>\n You can actually search the queue for this header (btw, this doesn’t show up in the regular exim_mainlog) by using: mail()<\/strong><\/p>\n is used. A simple output would be similar to: Ejoy!<\/p>\n p.s.<\/p>\n If you need a spamfu script that identifies spam coming from the server, try this one. This is a script designed to help you find the source of spam quickly. It currently can parse spam from the email queue as well as the exim logs. (Big ups to mwineland for the script; he rox!)<\/p>\n #Global variables # Logfile checking variables: ############################################# # Check for emails that were sent from scripts # Checks for emails that were sent by a user # Checks for emails sent by # Show the address the most bounce backs # Does a check for emails sent by a email address # Shows what IP's sent the most emails # Shows single emails that had the most recipients ################################################## # Sends script version information to my server ################################################### function spamfu_init if [ -z $spamfu_option ]; then if ! [ $spamfu_option -ge 1 -a $spamfu_option -le 3 ];then if [ $spamfu_option = \"1\" ]; then if [ $spamfu_option = \"2\" ]; then if [ $spamfu_option = \"3\" ]; then ####################################################### function queue_init read queue_option<\/p>\n if [ -z $queue_option ]; then ####################################################### function logs_init if ! [ $logmenu_option -ge 1 -a $logmenu_option -le 5 ];then if [ $logmenu_option = \"1\" ]; then if [ $logmenu_option = \"2\" ]; then if [ $logmenu_option = \"3\" ]; then if [ $logmenu_option = \"4\" ]; then if [ $logmenu_option = \"5\" ]; then ################################<\/p>\n function logfile_menu # create an array called LOG_LIST with a list of any file in $LOGDIR # save the number of files in the array and subtract 1 # Create the menu with a loop of 1 to however many files are in the array if [ $(echo \"$logmenu_option\" | grep -E \"^[0-9]+$\") ]; then }<\/p>\n ###########################<\/p>\n function logline_menu function logcheck_menu #################################################### check_logs() check_for_scripts() check_for_auth() BEGIN { { NUM_ADDRESSES=0 '` # This is where the functions that were declared above if [ $CHECK_FOR_SCRIPTS = \"true\" ]; then if [ $CHECK_FOR_AUTH = \"true\" ]; then if [ $CHECK_FOR_ACCOUNT = \"true\" ]; then if [ $CHECK_FOR_BOUNCES = \"true\" ]; then if [ $CHECK_MOST_DOMAIN = \"true\" ]; then if [ $CHECK_MOST_IP = \"true\" ]; then if [ $CHECK_MOST_RCPTS = \"true\" ]; then }<\/p>\n ############################################# # Set timer for parsing the queue unless it is 0 (unlimited) # Find emails in exim's spool folder # Parse the queue_tmp variable to sort by auth_id echo -e \"Parsed `echo -e \"$queue_tmp\" | wc -l` emails out of $queue_total in the queue with a $queue_timeout second timeout\" queue_senders_tmp=`echo \"$queue_senders\" | awk '{print $3}'`<\/p>\n for each in `echo \"$queue_senders_tmp\"` clear To install this script<\/p>\n To identify PHP Spam when running PHP 5.3 or higher: (Please note the variables below are not enabled by default in php.ini) utilize the following php.ini variable to narrow down the offending script. If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines:… <\/p>\n
\n
\n mail.add_x_header = On
\n mail.log = \/var\/log\/php_mail.log
\n<\/code>
\nto the [mail] section of:
\n
\n \/usr\/local\/lib\/php.ini
\n<\/code>
\n
\nAlso make sure to create the log file manually otherwise you may get permissions errors and it won’t work:
\n
\n touch \/var\/log\/php_mail.log
\n chmod 666 \/var\/log\/php_mail.log
\n<\/code>
\nThe first variable adds:<\/p>\n
\n
\n exiqgrep 'X-PHP-Originating-Script'
\n<\/code>
\nThis should give you a list of emails that have that have been sent using PHP or, if you know the script name, you could also use:
\n
\n exiqgrep 'bad_script.php'
\n<\/code>
\nThis should give you a list of emails that have that have that script name in it and if you’re REALLY sure that only spam emails are listed you could use:
\n
\n exiqgrep -i 'bad_script.php' | xargs exim -Mrm
\n<\/code>
\nwhich filters out all the emails with bad_script.php in it, then only displays the message ids and then delete them.<\/p>\n
\nThe above header information is really useful, but when combined with the mail.log variables can be useful. This causes PHP to record whenever:<\/p>\n
\n
\n mail() on [\/home\/user\/public_html\/bad_script.php:11]: To: alice@domain.com -- Headers: From: eve@other.net Reply-To: bob@next.org Content-type: text\/html; charset=iso-8859-1
\n<\/code>
\nIf you were to compare the cwd output of a spam script to this log you could get a pretty good idea of where the spam is coming from.<\/p>\n
\n#!\/bin\/bash<\/p>\n
\nqueue_total=`exim -bpc` # Saving how many emails are currently in the queue
\nversion='1.1.1'<\/p>\n
\nLOGDIR=\/var\/log
\nLOGFILE=exim_mainlog
\nGREP=\"grep\"
\nNUM_RCPTS=15<\/p>\n
\n# User changeable variables to choose which #
\n# checks are performed during log parsing #
\n############################################<\/p>\n
\n# by searching for CWD
\nCHECK_FOR_SCRIPTS=\"true\"<\/p>\n
\n# that logged in with a password
\nCHECK_FOR_AUTH=\"true\"<\/p>\n
\n# a cpanel\/system account
\nCHECK_FOR_ACCOUNT=\"true\"<\/p>\n
\n# were returned to
\nCHECK_FOR_BOUNCES=\"false\"<\/p>\n
\n# However this can be forged, may get rid of this function
\nCHECK_MOST_DOMAIN=\"false\"<\/p>\n
\n# 127.0.0.1 is common if sent via script\/webmail
\nCHECK_MOST_IP=\"false\"<\/p>\n
\nCHECK_MOST_RCPTS=\"true\"<\/p>\n
\n# !!!END OF USER DEFINABLE VARIABLES!!! #
\n##################################################<\/p>\n
\n#commented out because the domain expired
\n#curl --connect-timeout 5 -d \"version=$version\" http:\/\/morzain.net\/spamfu\/spamfu.php<\/p>\n
\n###################################################
\n# This is the main menu of the script #
\n# This asks you to check the logs, queue, or exit #
\n###################################################
\n###################################################<\/p>\n
\n{
\n echo \"####################################\"
\n echo \"\"
\n echo \"SpamFu for Dummies:\"
\n echo \"There are currently ${queue_total} emails in the queue\"
\n echo \"\"
\n echo \"What would you like to do?:\"
\n echo \" (1) Check for spammers via email logs\"
\n echo \" (2) Check for spammers via emails in the queue\"
\n echo \" (3) Exit\"
\n echo -n \"Select option: \"
\n read spamfu_option<\/p>\n
\n spamfu_init
\n else
\n echo \"You have selected $spamfu_option\"
\n fi<\/p>\n
\n echo Invalid option
\n spamfu_init
\n fi<\/p>\n
\n logs_init
\n fi<\/p>\n
\n queue_init
\n fi<\/p>\n
\n echo \"Exiting\"
\n exit
\n fi
\n}<\/p>\n
\n#######################################################
\n# This is the menu for checking the queue #
\n# It asks you how many seconds to check the queue for #
\n#######################################################
\n#######################################################<\/p>\n
\n{
\n echo \"There are currently ${queue_total} emails in the queue\"
\n echo \"\"
\n echo \"Parsing the entire queue can take a while\"
\n echo \"Instead we can look at a snapshot of the emails in the queue\"
\n echo -n \"How many seconds would you like to parse the queue for? 0 is unlimited [0]: \"<\/p>\n
\n echo \"\"
\n echo \"You have selected: 0 (unlimited)\"
\n echo \"\"
\n queue_timeout=\"0\"
\n check_queue
\n elif
\n echo $queue_option | grep -Eq '^[0-9]{0,3}?\\.?[0-9]+$'; then
\n queue_timeout=$queue_option
\n echo \"Setting timeout to ${queue_timeout} seconds\"
\n check_queue
\n else
\n echo \"\"
\n echo \"****************************\"
\n echo \"Please enter a valid integer\"
\n echo \"****************************\"
\n echo \"\"
\n queue_init
\n fi
\n}<\/p>\n
\n#######################################################
\n# This is the menu for checking the logs #
\n#######################################################
\n#######################################################<\/p>\n
\n{
\n echo \"\"
\n echo \"##########################################################\"
\n echo \"Parsing a large file with lots of checks can take a while\"
\n echo \"Choose options to pick which logfile, which checks to perform\"
\n echo \"as well as how many lines of the file to parse\"
\n echo \"\"
\n echo \"LOGFILE: `echo $LOGFILE | awk '{print $1}'`\"
\n echo \"SIZE: `du -sh $LOGDIR\/$LOGFILE | awk '{print $1}'`\"
\n echo \" (1) Proceed with check\"
\n echo \" (2) Change log file\"
\n echo \" (3) Change which checks are performed\"
\n echo \" (4) Change how many lines to parse\"
\n echo \" (5) Main Menu\"
\n echo -n \"Select option: \"
\n read logmenu_option<\/p>\n
\n echo Invalid option
\n logs_init
\n fi<\/p>\n
\n check_logs
\n fi<\/p>\n
\n logfile_menu
\n fi<\/p>\n
\n logcheck_menu
\n fi<\/p>\n
\n logline_menu
\n fi<\/p>\n
\n spamfu_init
\n fi
\n}<\/p>\n
\n{
\nLOG_NUMBER=0
\n echo \"\"
\n echo \"######################################\"
\n echo \"choose one of the following:\"<\/p>\n
\n # that starts with exim_mainlog
\n for logfile in `ls $LOGDIR\/exim_mainlog*`; do
\n let \"LOG_NUMBER += 1\"
\n LOG_LIST[$LOG_NUMBER]=`echo $logfile | awk -F\/ '{print $NF}'`
\n done<\/p>\n
\n # becuase we want to start at 1 instead of 0
\n LOG_NUMBER=${#LOG_LIST[@]}
\n# let \"LOG_NUMBER -= 1\"<\/p>\n
\n for i in `seq 1 $LOG_NUMBER`; do
\n echo \" ($i) `du -sh $LOGDIR\/${LOG_LIST[$i]} | awk '{print $1}'` ${LOG_LIST[$i]}\"
\n done
\n echo -n \"Select option: \"
\n read logmenu_option<\/p>\n
\n if [ $logmenu_option -le $LOG_NUMBER -a $logmenu_option -gt 0 ]; then
\n LOGFILE=${LOG_LIST[$logmenu_option]}
\n echo \"Using ${LOG_LIST[$logmenu_option]}\"
\n if [[ $(file $LOGDIR\/$LOGFILE | grep \"gzip\") ]]; then
\n GREP=\"zgrep\"
\n echo \"using zgrep\"
\n else
\n GREP=\"grep\"
\n echo \"using grep\"
\n fi
\n logs_init
\n else
\n echo \"Invalid option\"
\n logfile_menu
\n fi
\n else
\n echo \"Invalid option\"
\n logfile_menu
\n fi<\/p>\n
\n{
\n echo \"not implemented yet\"
\n logs_init
\n}<\/p>\n
\n{
\n echo \"not implemented yet\"
\n echo \"these can be modified by editing the script\"
\n logs_init
\n}<\/p>\n
\n####################################################
\n#Function to check the logs #
\n#Called if you choose that option on the main menu #
\n####################################################
\n####################################################<\/p>\n
\n{
\n # This sets a variable so we can ignore emails sent to domains on the server, as we only want outgoing emails.
\n # it takes the list of domains, adds \"for .*@\" to the front of each domain
\n # then replaces the newline characters with pipes, and removes the pipe that ends up at the end of the line
\n LOCAL_DOMAINS=`cat \/etc\/localdomains | sed 's\/^\/for .*@\/g' | tr '\\n' '|' | sed 's\/|$\/\/'`<\/p>\n
\n {
\n echo \"Checking for scripts...\"
\n SCRIPTED_EMAILS=`$GREP -o \" cwd=[[:alnum:][:graph:]]*\" $LOGDIR\/$LOGFILE | grep -v spool | sort | uniq -c | sort -rn | head`
\n echo \"Emails sent from scripts:\"
\n echo \"$SCRIPTED_EMAILS\"
\n echo
\n }<\/p>\n
\n {
\n echo \"Checking for auth users...\"
\n AUTH_EMAILS=`$GREP '< =' $LOGDIR\/$LOGFILE | egrep -o \" A\\=(fixed|courier|dovecot)_(login|plain):[[:alnum:][:graph:]]*\" | cut -d: -f2 | sort | uniq -c | sort -rn | head`\n echo \"Most emails sent by authenticated users:\"\n echo \"$AUTH_EMAILS\"\n echo\n }\n\n check_for_account()\n {\n echo \"Checking for cpanel\/system accounts...\"\n ACCOUNT_EMAILS=`$GREP '<=' $LOGDIR\/$LOGFILE | egrep -v \"$LOCAL_DOMAINS\" | grep -v ' U=mailnull' | grep -o \" U=[[:alnum:][:graph:]]*\" | cut -d= -f2 | sort | uniq -c | sort -rn | head`\n echo \"Emails sent from cpanel\/system accounts:\"\n echo \"$ACCOUNT_EMAILS\"\n echo\n }\n\n check_for_bounces()\n {\n echo \"Checking for bounces...\"\n BOUNCE_BACKS=`$GREP \" U=mailnull.*returning message\" $LOGDIR\/$LOGFILE | grep -o \" for [[:alnum:][:graph:]]*@[[:alnum:][:graph:]]*\" | cut -d' ' -f3 | sort | uniq -c | sort -rn | head`\n echo \"Most bounces returned to:\"\n echo \"$BOUNCE_BACKS\"\n echo\n }\n\n check_most_domain()\n {\n echo \"Checking 'from' addresses...\"\n MOST_SENT_DOMAIN=`$GREP '<=' $LOGDIR\/$LOGFILE | grep -v mailnull | egrep -v \"$LOCAL_DOMAINS\" | cut -d\" \" -f6 | sort | uniq -c | sort -rn | head`\n echo \"Most frequent senders by 'from' address:\"\n echo \"Note: Could be forged addresses\"\n echo \"$MOST_SENT_DOMAIN\"\n echo\n }\n\n check_most_ip()\n {\n echo \"Checking for sender IP...\"\n MOST_SENT_IP=`$GREP '<=' $LOGDIR\/$LOGFILE | egrep -v \"$LOCAL_DOMAINS\" | grep -o ' H=.*\\ \\[[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\]' | grep -o '[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}' | sort | uniq -c | sort -rn | head`\n echo \"Most frequent senders by IP address:\"\n echo \"$MOST_SENT_IP\"\n echo\n }\n\n check_most_rcpts()\n {\n echo \"Checking for recipients...\"\n MOST_RCPTS=`$GREP '<=' $LOGDIR\/$LOGFILE | grep -v mailnull | egrep -v \"$LOCAL_DOMAINS\" | awk -v NUM_RCPTS=\"$NUM_RCPTS\" ' \n\n function shift_list(x)\n {\n y=x\n x++\n while (x <= NUM_RCPTS)\n {\n TOP_RCPTS[x] = TOP_RCPTS[y]\n MAIL_ID[x] = MAIL_ID[y]\n SENDER_ID[x] = SENDER_ID[y]\n x++\n y++\n }\n }\n \n function save_current()\n {\n SENDER_ID[CUR_NUM]=$6\n MAIL_ID[CUR_NUM]=$4\n TOP_RCPTS[CUR_NUM]=NUM_ADDRESSES\n }\n \n function display_results()\n {\n CUR_NUM=1\n while (CUR_NUM <= NUM_RCPTS) {\n print MAIL_ID[CUR_NUM], \"with\", TOP_RCPTS[CUR_NUM], \"recipients was sent by\", SENDER_ID[CUR_NUM]\n CUR_NUM++\n }\n }\n \n function duplicate_check()\n {\n x=NUM_RCPTS\n y=x-1\n while (x > 0)
\n {
\n if (MAIL_ID[x] == MAIL_ID[y])
\n {
\n MAIL_ID[x]=0
\n TOP_RCPTS[x]=0
\n SENDER_ID[x]=0
\n }
\n x--
\n y--
\n }
\n }<\/p>\n
\n CUR_NUM=NUM_RCPTS
\n while (CUR_NUM > 0){
\n MAIL_ID[CUR_NUM] = 0
\n TOP_RCPTS[CUR_NUM] = 0
\n SENDER_ID[CUR_NUM] = 0
\n CUR_NUM--
\n }
\n }<\/p>\n
\n split($0,RCPTS_TMP,\"from.*for \")
\n split(RCPTS_TMP[2],RCPTS,\" \")<\/p>\n
\n for (ADDRESSES in RCPTS)
\n ++NUM_ADDRESSES
\n CUR_NUM=1
\n for (EACH in TOP_RCPTS)
\n {
\n if (NUM_ADDRESSES > TOP_RCPTS[CUR_NUM])
\n {
\n shift_list(CUR_NUM)
\n save_current()
\n duplicate_check()
\n break
\n }
\n CUR_NUM++
\n }
\n }
\n END {
\n display_results()
\n }<\/p>\n
\n echo \"Most recipients by Mail and Sender ID's:\"
\n echo \"$MOST_RCPTS\"
\n }<\/p>\n
\n # Are actually called, if their variables are set to true<\/p>\n
\n check_for_scripts
\n fi<\/p>\n
\n check_for_auth
\n fi<\/p>\n
\n check_for_account
\n fi<\/p>\n
\n check_for_bounces
\n fi<\/p>\n
\n check_most_domain
\n fi<\/p>\n
\n check_most_ip
\n fi<\/p>\n
\n check_most_rcpts
\n fi<\/p>\n
\n#############################################
\n# Function to check the emails in the queue #
\n#############################################
\n#############################################
\ncheck_queue()
\n{
\n #Function that stops the find command after X number of seconds
\n kill_it()
\n {
\n sleep $queue_timeout
\n PID=`ps aux | grep \"find \/var\/spool\/exim\/input\" | grep -v grep | awk '{print $2}'`
\n if [ -n \"${PID}\" ]; then
\n kill $PID
\n fi
\n }<\/p>\n
\n if [ \"$queue_timeout\" != \"0\" ]; then
\n kill_it &
\n fi<\/p>\n
\n queue_tmp=`find \/var\/spool\/exim\/input -name '*-H' | sed '$d' | xargs grep 'auth_id'`
\n echo \"Done finding emails, starting to parse\"<\/p>\n
\n queue_senders=`echo -e \"$queue_tmp\" | cut -d: -f2 | sort | uniq -c | sort -rn | head -n5`<\/p>\n
\n echo -e \"Highest number of emails in queue by auth_id:\"
\n echo -e \"$queue_senders\"
\n echo \"\"<\/p>\n
\n do
\n echo \"Example emails sent by $each:\"
\n echo \"$queue_tmp\" | grep $each | cut -d: -f1 | head -n5
\n echo \"\"
\n done
\n}<\/p>\n
\nspamfu_init
\n<\/code><\/p>\n
\nwget -O \/scripts\/spamfu.sh http:\/\/layer3.liquidweb.com\/scripts\/spamfu.sh
\nor
\ntouch \/scripts\/spamfu.sh
\nchmod +x \/scripts\/spamfu.sh
\n\/scripts\/spamfu.sh
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"