Tracking Outbound SPAM

found in the mac os X system admin list

Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.

Notes from my conversation with Michael, for the archives:

* First, find suspicious looking lines in /var/log/mail.log

* Look for the smtp ID, such as: postfix/smtp[25897]

* Grep for other instances of that ID in the log: grep 25897

* From there, you’ll be able to see postfix queue IDs, such as

* You can use this queue ID to find deferred messages in the
postfix queue

* cd /var/spool/postfix/

* Find where in the queue directory hierarchy this message
lives: find . -name 159A347C89C

* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/

* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know it’s coming from
a web script.

* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.

Other tools:

Monitor incoming network connections, filtering out legit traffic on
port 80:

netstat -na | grep EST
netstat -na | grep EST | grep -v ‘.80 ‘
netstat -na | grep EST | grep ‘.25 ‘

To find files or dirs owned by www (that might be illegitimate):

find / -user www -ls

In case attacker named directories with spaces or other weird chars
in them:

find / -user www -ls | cat -vet –

(take your cat to the vet – it’s sick)

Thanks also to others who responded on this.


Scot Hacker, Webmaster
Graduate School of Journalism
UC Berkeley