There is no pickup process so I believe that the server is OK. Thank you for your warning and I'm sorry for not pasting logs.
2009/9/7 /dev/rob0 <r...@gmx.co.uk>: > On Monday 07 September 2009 07:25:52 Martina Tomisova wrote: >> I'm analyzing logs to find the spam source and I've understood >> that if someone sends the message, one of the first lines written >> to the log file is a line containing the queue id and >> 'client=IP_ADDRESS'. > > This is only true if the mail came in through smtpd(8). > >> But not every time. Actually this line is missing just in cases >> the spam is sent. :) How's that possible? Any ideas how can I get >> the IP address of the sender in such case? > > It's possible, and common in the case of server compromises, for > malware running on your own machine to be spewing spam using > sendmail(1) submission. In that case, the first log you would see is > like this: > Sep 6 11:17:42 chestnut postfix/pickup[10567]: 974581C02EF9: > uid=1000 from=<r...@gmx.co.uk> > > In many of these that I have seen, the machine itself is not under > control of the attacker; it is merely an exploited PHP Web script > being used for spam. If you were rooted, your logs would typically > have no evidence of the abuse which is taking place. > > Do note, all this is mere speculation in your case, since you > failed to follow the list guidelines (in the welcome message and > DEBUG_README) by not posting the logging in question. > > If, however, my guess was right, I highly recommend that you stop > Postfix and your httpd+PHP immediately, before any more damage is > done. You might already be blacklisted. > -- > Offlist mail to this address is discarded unless > "/dev/rob0" or "not-spam" is in Subject: header >
