This is an amazing technical dissection of a piece of spamware that was implanted on a savvy user's webserver, a hunk of code that cleverly turned the machine into a piece of a distributed spamming cluster.
After the identification, the client sends the report command, and sends a list of exactly 1000 items, each item composed by the e-mail identification number (as shown above), and two other arguments, the first one is an error code that determines if the e-mail has been sent (for instance, 6 means 'Timeout connecting to host', 11 that the e-mail has been sent, 9 means 'Timeout reading from socket', …) and it will be clearly shown in the next paragraphs, and the third one that I haven't identified yet, but it could be a flag to know if the e-mail address has been treated. It seems that it is the report for telling which e-mail address is valid. Just to be sure, I executed the daemon with its configuration file slightly modified, changing the /dev/null to real files to watch its logs. As seen in the daemon's configuration file, there are three different logs: logfile, speedlog and out. The last one (out) is always empty, but the other two contain interesting things: As seen in the daemon's configuration file, there are three different logs: logfile, speedlog and out. The last one (out) is always empty, but the other two contain interesting things; following is the speedlog file:
(via /.)
