Damn Phishers …
I spent way too much time trying to track down this eBay phisher. Instead of exploiting someone’s Formmail.pl they apparently purchased a fraudulent account, and uploaded a PHP script that pulls a bunch of addresses from a databases and spams them all. So, qmail logs the messages as coming from Apache, whereas Formmail.pl would have been wrapped through suexec. And since one invocation can send thousands of messages, there’s no suspicious log activitity.
Fortunately, the contents of the spam message were stored in the PHP script. I finally ran a find-pipe-grep on our vhosts directory for ‘ebay.com’ and shut the slimey bastard sonuvabitch down. The HTTP requests to trigger the script came from Egypt at like 4AM local time.
Grr! Let’s waste my morning on nonsense.
Then we got another spam complaint for another shared hosting server, but after some basic checking, I wrote them back indicating that the header was forged, and they wanted to instead contact a cable company in Japan.
Time to take a walk, unwind, get some real work done, perhaps.