It may not be possible to track 'nobody' spamers by checking exim_mainlog file. We can't clearly trace out that by whom our server is being used to send spams. If we check php.ini file, we can see that the mail service is set to /usr/sbin/sendmail and almost all mail scripts are in use the built in mail(); function for PHP. ie., every such mails are going through /usr/sbin/sendmail.We can try to get these users in your Linux Servers.
1. Login to server as root.2. Stop exim service.[root@server~]#/etc/init.d/exim stop
3. Backup /usr/sbin/sendmail file. [Server is using Exim as MTA (Mail Transfer Agent), Actually exim uses sendfile for just a pointer].
[root@server~]#mv /usr/sbin/sendmail /usr/sbin/sendmail.imp
4. Now we create a spam monitoring script for the new sendmail.[root@server~]#vi /usr/sbin/sendmail
Paste the following:
---
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spammer.log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD - @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.imp’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
---
5. Change the permissions new sendmail.[root@server~]#chmod +x /usr/sbin/sendmail
6. New log file to save history which using web mail scripts.[root@server~]#touch /var/log/spammer.log
[root@server~]#chmod 0777 /var/log/spammer.log
7. Start Exim.[root@server~]#/etc/init.d/exim start
8. Now try any formmail script or any mail script which uses mail function and monitor new log file (spam_log)[root@server~]#tail – f /var/log/spammer.log
It should give us output like this:
Mon Nov 01 11:00:00 IST 2013 – /home/username/public_html/directory/subdirectory/subsubdirectory – nobody x 99 99 Nobody / /sbin/nologin
9. Log Rotation: This file is not set to be rotated file so there is a possibility that the file grows soon in size. So please do the following:
[root@server~]#vi /etc/logrotate.conf
Find >>
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
Add >>
# SPAM LOG rotation
/var/log/spammer.log {
monthly
create 0777 root root
rotate 1
}
10. We can set attributes for new sendmail file so it will not get overwritten.[root@server~]#chattr + i /usr/sbin/sendmail
Now we can track nobody spam users by monitoring spammer.log ...