We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Does anyone here know something about sendmail?

September 04, 2007 8:25pm

Subscribe [2]

  • #1 / Sep 04, 2007 8:25pm

    silenz

    1651 posts

    We’re having issues with a client’s server at the moment and are trying to identify the causes. The hosting provider has not been really helpful as of now.

    One problem turned out to be a botnet spamming an old pmachine installation with about 8000 trackbacks per day over a period of 3 weeks an counting. The pingserver.php has been deleted but the requests keep on coming in, although they get a 404 now.

    We have no root access and cannot access mail- or system logs. We only can get ps-snapshots via the web-interface. That way we cannot get a continuous picture but there seems to be a lot of sendmail activity going on and all those domains that show up there are really unrelated to the server’s business.

    Personally I know nothing about sendmail, just that on another server we have root access to, we don’t see anything comparable.

    Anyone’s got an idea if stuff like that is normal or somehow fishy?

    root     31815  0.0  0.6  7000 3332 ?        S    Sep04   0:00 sendmail: ./l7VG2mtY010078 mail.ip.com.ru.: user open 
root       952  0.0  0.6  6844 3116 ?        S    00:28   0:00 sendmail: server 189-18-202-204.dsl.telesp.net.br [189.18.202.204] cmd read 
root       643  0.0  0.5  6568 3004 ?        S    00:17   0:00 sendmail: server 201-93-205-117.dsl.telesp.net.br [201.93.205.117] cmd read 
root     31815  0.0  0.6  7000 3332 ?        S    Sep04   0:00 sendmail: ./l7VG2mtY010078 mail.ip.com.ru.: user open 
root     31815  0.0  0.6  7000 3332 ?        S    Sep04   0:00 sendmail: ./l7VG82uZ010380 resalehost.networksolutions.com.: user open 
root       643  0.0  0.5  6568 3004 ?        S    00:17   0:00 sendmail: server 201-93-205-117.dsl.telesp.net.br [201.93.205.117] cmd read 
root     31815  0.0  0.6  6992 3332 ?        S    Sep04   0:00 sendmail: ./l7V1opZl017525 gkkg.com.: user open 
root      1445  0.0  0.6  6868 3220 ?        S    00:42   0:00 sendmail: ./l822bkHh004039 intrepid.cnchost.com.: client RCPT 
root      1445  0.0  0.6  6868 3224 ?        S    00:42   0:00 sendmail: ./l81M4Oa7029470 embarqhsd.net.: user open 
root      1957  0.0  0.6  6292 3152 ?        S    01:01   0:00 sendmail: server p1195-ipad10aobadori.miyagi.ocn.ne.jp [60.38.20.195] cmd read
root      1445  0.0  0.6  6868 3292 ?        S    00:42   0:00 sendmail: ./l8196fkj006077 barnhallrfc.com.: user open 
root      1445  0.0  0.6  7000 3300 ?        S    00:42   0:00 sendmail: ./l7VBBr10001212 park.funnel.revenuedirect.com.akadns.net.: user open

  • #2 / Sep 04, 2007 10:26pm

    Nevin Lyne

    370 posts

    Without access to the sendmail logs its going to be pretty hard to even begin to picture where its coming from.  Have you made sure that the old pMachine install, your EE site, or any other scripts are not seeing things like comment spam?  If you get say even a couple of hundred comment spams, each time a new one is posted your site will now generate a couple of hundred comment notifications to the fake email addresses on all of the existing comments.  This compounds, and is only going to get worse.

    Make sure you have captchas in use on all commenting, you can even put this into place on the old pMachine Pro install if you upgrade to 2.4.  Though if you are not using the old pMachine install I would suggest simply moving it off into a hard to guess directory or remove it if you are not actively using it any more.

    Other than that, again its going to be hard to troubleshoot fully without seeing the error logs or directly looking at the backlog of email messages in the sendmail queue directories.

    It would be in the best interest of your hosting provider to assist as well.

    I wish you the best of luck.

  • #3 / Sep 05, 2007 5:50am

    silenz

    1651 posts

    There’s neither comment spam, nor comments at all. pMachine was rather used as a CMS on that site, not as a blogging tool. Comments are not enabled on that site, neither were trackbacks.

    Except for the pingserver.php requests every second I couldn’t locate any obvious unusal activity in the httpd-logs. We will have to see. The provider promised (3 weeks ago) to thoroughly check anything that’s going on the box. They didn’t even realize the trackback-spamming on a site that normally had about 100 visits weekly during the months before. Their conclusion was just that the (dedicated) server was too small. I think we’ll have to see…

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register