Re: How to determine which PHP-script allows spamming?

I would write simple perl wrapper around /usr/sbin/sendmail. It should distinguish between calling scripts and count speed of calls. If the script overwhelms certain threshold - put the letter at some spool for further analysis.

Rainer Duffner wrote:

I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).

The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful.
I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.

What options do I have?
Can Snort detect this?

(The webserver uses qmail as MTA)