Uwe Dippel:
> (I know this is a bit off postfix, but not completely)
>
> I'm running postfix as MTA on a machine with several CMS. Recently,
> there is a huge number of spam being sent from there, alas. When I scan
> the logs, all those come from 'root', meaning they don't come through
> port 25. I run OpenBSD with mini-sendmail, and now I wonder how I could
> find out from which CMS they are sent. Is there any chance to find out
> from postfix? I am afraid, not? If not, what else could I do?
Postfix tells you all it knows: the UID of the process that posts
the mail. Postfix does not run "ps" to get the parent process name.
However, you can wrap up the postdrop program in a script that
logs some extra information.
# ln /usr/sbin/postdrop /usr/sbin/postdrop.real
# cat >postdrop.new <<'EOF'
#!/bin/sh
PATH=/bin:/usr/bin:
ps axl | /usr/bin/logger -t postdrop -p mail.info
/usr/sbin/postdrop.real "$@"
EOF
# chmod +x postdrop.real
# mv postdrop.real postdrop
This will log "ps axl" which gives you the PPID of the postdrop
process. This is the PID of the Postfix sendmail command; use the
sendmail PPID to find the process that invokes the Postfix sendmail
command; and so on. If there is no such process then you have been
rootkitted.
Wietse
