On 5/17/2011 3:49 PM, Mariano Aliaga wrote:
On Tue, May 17, 2011 at 5:32 PM, Wietse Venema<wie...@porcupine.org> wrote:
Mariano Aliaga:
Hi,
I'm currently running a Postfix (2.7.1) + Amavisd-new server. I
think it's been somehow comprimised, because I'm seeing spams being
originated from localhost, and as 127.0.0.1 is listed on mynetworks,
it is accepted and sent to amavis which sometimes stops it, and
sometimes not.
My questions are:
1) Is there a way I can find the "process" or origin from these mails?
All OS distributions:
# lsof -ni | grep 127.0.0.1
With some OSes, the netstat command will report the PID.
# netstat -nap | grep 127.0.0.1
Wietse
Thank you for your fast reply!
I've tried those, but the problem is that this happens 5 to 10 times a
day, and just for a few seconds, so it's difficult to get it at the
rignt time. I was thinking more of a debug option that could give me a
clue, but increased debug for localhost and didn't get more useful
info.
The usual suspects are:
- these are not really generated from your machine, but rather
bounces of undeliverable mail you've previously accepted.
Don't accept mail you can't or won't deliver.
- an insecure web script is being exploited.
See more on both these subjects in the list archive.
If you're only seeing a handful per day, my guess is these are
bounces. Usually exploits result in tens of thousands or more
spams sent.
You can show postfix log entries here if you need more
information on what they mean.
-- Noel Jones
