About a week ago, I got this email from my hosting provider (The Planet):
We have recieved reports of spam originating from this server. Please investigate, address the issue, and update this ticket with your action(s).
Due to the nature of this issue, failure to resolve the issue and update this ticket within 48 hours may result in service interruption for the server.
So, I immediately emailed Apokalyptik, my trusty server admin.
Apokalyptik quickly started poking around the server, and determined that the problem was most likely the exploit of a mail script that was accessible via apache… so, I told him that it was likely PHPnuke or MovableType, as those are really the only pieces of installed software on the box that include mail scripts. The MovableType install on this box is MT 2.64, and I’ve never seen any warnings or messages about MT being too easily hacked as a spam server, but the PHPNuke installs (englers.org and bellvillehighschool.com) on the box are pretty old (likely version 6.0 or so) and PHPNuke is known for its vulnerabiltiy to hacks.
After a little more digging in my apache logfiles, I determined that the spammer was indeed hacking into the PHPNuke module that allows WebMail access to the server somehow, so I renamed those files, restarted Apache and QMail and sure enough, the spam is gone.
The bad news: My box was acting like a spam-relay for a few days, maybe even a week there. Load on the machine was consistently high, and in general, the box was pretty sluggish.
The good news: The problem is solved for now, and I’ll be migrating those PHPNuke sites to MovableType soon. And once again, Apokalyptik comes through as a savior of the server for me.