Wietse Venema:
> Uwe Dippel:
> > (I know this is a bit off postfix, but not completely)
> >
> > I'm running postfix as MTA on a machine with several CMS. Recently,
> > there is a huge number of spam being sent from there, alas. When I scan
> > the logs, all those come from 'root', meaning they don't come through
> > port 25. I run OpenBSD with mini-sendmail, and now I wonder how I could
> > find out from which CMS they are sent. Is there any chance to find out
> > from postfix? I am afraid, not? If not, what else could I do?
>
> Postfix tells you all it knows: the UID of the process that posts
> the mail. Postfix does not run "ps" to get the parent process name.
>
> However, you can wrap up the postdrop program in a script that
> logs some extra information.
Corrected version: this original had the wrong filename in the
last two commands.
Wietse
# ln /usr/sbin/postdrop /usr/sbin/postdrop.real
# cat >postdrop.new <<'EOF'
#!/bin/sh
PATH=/bin:/usr/bin:
ps axl | /usr/bin/logger -t postdrop -p mail.info
/usr/sbin/postdrop.real "$@"
EOF
# chmod +x postdrop.new
# mv postdrop.new postdrop
> This will log "ps axl" which gives you the PPID of the postdrop
> process. This is the PID of the Postfix sendmail command; use the
> sendmail PPID to find the process that invokes the Postfix sendmail
> command; and so on. If there is no such process then you have been
> rootkitted.
>
> Wietse
>
>
