This weekend I came across a rather new method to send spam e-mails, at least new to me so far.
A shared hosting ftp account was abused (password probably gotten through a trojan) to send spam e-mails. That wouldn't be something surprising new, but the timely manner in which the script was uploaded and executed, is definitely worth mentioning it.
In the FTP logs I found the following entries:
Sat Sep 01 01:12:49 2012 0 184.108.40.206 408 /var/www/someweb/html/chk_mailto.php a _ i r someweb ftp 0 * c
Sat Sep 01 01:12:49 2012 0 220.127.116.11 408 /var/www/someweb/html/chk_mailto.php a _ d r someweb ftp 0 * c
Note that the file chk_mailto.php was uploaded AND deleted within the same second!
But before the file was deleted, it was executed by browser:
18.104.22.168 - - [01/Sep/2012:01:12:49 +0200] "GET /chk_mailto.php HTTP/1.1" 200 2 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
Due to the very short living time of the script, it is nearly impossible to find it. Additionally only a few spams are sent out (or are sent through open relay servers) which makes it difficult to trace it in the mail logs as well.
Update September 4th 2012:
Each time such an uploaded file was executed in browser, a new process called 'perl' was started on the server which created smtp connections to foreign webservers and continued to run in the background.