--- On Fri, 8/15/08, thomas <tfj-online (at mark) mail.tele.dk> wrote:
> From: thomas <tfj-online (at mark) mail.tele.dk>
> Subject: [coba-e:13730] mail from local host
> To: coba-e (at mark) bluequartz.org
> Date: Friday, August 15, 2008, 5:28 AM
> Hi all,
>
> Today we face a problem with a lot of spam mails sent from
> sendmail: ./m7F9Maav020277 [127.0.0.1]: client DATA status
>
> sending out to a lot of (at mark) aol.com adresses !!!
>
> STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3,
> verify=FAIL
>
> these mails are all spam. How do we go about finding the
> culprit
>
There are several ways. My guess would be an old vulnerable formmail CGI script or something similar. Look at the maillog and look at the time the first one started to go out. grep the access_log for that time and see if a CGI script was being accessed. Or, it's possible another type of vulnerable script allowed the spammer to place their own script. Also, if you allow your customers SMTP, it's possible one of your customers is the cause. They could have a trojan using your SMTP AUTH.
--
Dan Kriwitsky