Hi!
I have a server with a couple of sites on it.
Some of them have a webform where people can send them emails that they are interested in their work etc. though the "To:" and "From:" adress can't be change by the enduser, you can only enter text and press send.
However it seems that someone (not on the server) has found a hole/exploit to use those webforms to send mails to who ever he wants..
I have the webserver setup with ssmtp (simple smtp) and it just forwards the mail sent from the server to my mail-server and there on it sends it out on the internet.
If I check my log on the mail-server I can see the whole smtp session, where it's comming from and where it's going etc.
I see that it comes from my webserver and over there I only have these log entries:
Oct 6 22:04:47 ettan2 sSMTP[1771]: Sent mail for
itaumail@itau.com.br (221 2.0.0 Bye) uid=204 username=torget outbytes=3290
There are loads of those log entries, mostly at after office-hours between 17:00 and 7:00
I have scanned through all the Apache logs and can't find Anything that point to the e-mail addresses used or something like that.
The reason I found this out was because he tries to send to a host that doesn't allow connection on port 25 so all the mails got stuck in the queue, over 1000 atm..
I'm using Apache 2.2 and Postfix 2.6 on a Debian Lenny install.
What can I do to find out how he's doing this and close the "exploit"?
Who would you recommend to setup the mail() thing in PHP for most security?
Thanks,
-Patric