Praji’s Weblog

Welcome to praji’s world

Catch nobody Spammer

leave a comment »

Step 1) 
Login to your server and su - to root. 

Step 2) 
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the 
sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4) 
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:


# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
 else {

        print INFO "$date - $PWD -  @infon";

 my $mailprog = '/usr/sbin/sendmail.hidden';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
 while ( ) {
         print MAIL;
 close (INFO);
 close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6) 
Create a new log file to keep a history of all mail going out of the server 
using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7) 
Start Exim up again. 
/etc/init.d/exim start

Step 8) 
Monitor your spam_log file for spam, try using any formmail or script that 
uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 
- /home/username/public_html/directory/subdirectory -  nobody x 99 99   
Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large 
quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    create 0664 root utmp
    rotate 1


# SPAM LOG rotation
/var/log/spam_log {
    create 0777 root root
    rotate 1

You may also want to chattr + i /usr/sbin/sendmail so it doesn't get 


Written by praji

February 3, 2008 at 6:58 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: