Form email injection. Questions and assistance.
I have a server that someone seems to be running an insecure php form email.
Here's the situation. The spammer seems to hit the form only once or twice and inject a few thousand email before being on their merry way. This is making it exceptionally difficult to locate which domain and file is affected. Although I have timeframes in which to search access logs I can't seem to find the culprit.
So question 1)
Can someone suggest a technique for isolating the point of entry for these bastards?
Question 2)
Currently everytime I start up the mailserver a few thousand more are injected into the queue. Faster than I can kill them. I suspect that they're just waiting somewhere via PHP. Can someone point me at where these might be lurking?
Question 3)
mod_security looks like the solution to unclued users and insecure php mailers. Does anyone have experience using it? Would you mind detailing it?
Thanks,
Iggy
