On Tue, May 17, 2011 at 5:32 PM, Wietse Venema <wie...@porcupine.org> wrote: > Mariano Aliaga: >> Hi, >> I'm currently running a Postfix (2.7.1) + Amavisd-new server. I >> think it's been somehow comprimised, because I'm seeing spams being >> originated from localhost, and as 127.0.0.1 is listed on mynetworks, >> it is accepted and sent to amavis which sometimes stops it, and >> sometimes not. >> My questions are: >> >> 1) Is there a way I can find the "process" or origin from these mails? > > All OS distributions: > > # lsof -ni | grep 127.0.0.1 > > With some OSes, the netstat command will report the PID. > > # netstat -nap | grep 127.0.0.1 > > Wietse >
Thank you for your fast reply! I've tried those, but the problem is that this happens 5 to 10 times a day, and just for a few seconds, so it's difficult to get it at the rignt time. I was thinking more of a debug option that could give me a clue, but increased debug for localhost and didn't get more useful info.
