John Fawcett wrote: > One thing I would suggest looking at is if there is a web server running > on the same host it may be allowing email to be injected into postfix > via smtp on the loopback interface using some scripting language like > php or others.
I suppose that's possible. I spent some time last night cleaning up old stuff from the server in question -- and also rebooting the box for good measure -- so the problem *might* just go away at this point. Before I can say anything more about this, unfortunately, I'll probably need to wait for another incident similar to the preceding ones, and try to capture more evidence while the problem is ongoing. If it never happens again, then maybe it was the fault of an old PHP web page which I have removed. If the problem were in fact due to a hijacked PHP page, btw, would this necessarily require the page to be using e-mail or TCP connections already for its own legitimate purposes, but being co-opted by a hacker to nefarious ends? Or could *any* PHP script theoretically be infected in a way that would cause this misbehaviour? Rich Wales ri...@richw.org
