Often hackers will use a compromised website to sent large amounts of spam email. On a shared server with many websites, it can be hard to tell which site and script is sending the spam. Here’s a procedure for Qmail that will (a) add a header with the script path and (b) create a log file of senders.
1. Create file at /var/qmail/bin/sendmail-wrapper with the following contents:
1 2 |
#!/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@" |
2. Set permissions on wrapper:
1 |
chmod 755 /var/qmail/bin/sendmail-wrapper |
3. Move sendmail binary
1 |
cp /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail |
4. Symlink the wrapper into place:
1 |
ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail |
The log file will be create at /tmp/mail.send.