From owner-freebsd-questions@FreeBSD.ORG Thu Sep 19 18:47:13 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8759B245 for ; Thu, 19 Sep 2013 18:47:13 +0000 (UTC) (envelope-from glenn@bnetmd.net) Received: from smtp-out2.electric.net (smtp-out2.electric.net [72.35.23.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5B862211B for ; Thu, 19 Sep 2013 18:47:13 +0000 (UTC) Received: from 1VMj0A-0005rl-U0 by bean.electric.net with emc1-ok (Exim 4.77) (envelope-from ) id 1VMj0A-0005sk-Vn for freebsd-questions@freebsd.org; Thu, 19 Sep 2013 11:30:54 -0700 Received: by emcmailer; Thu, 19 Sep 2013 11:30:54 -0700 Received: from [10.86.10.84] (helo=fuseout2d.electric.net) by bean.electric.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1VMj0A-0005rl-U0 for freebsd-questions@freebsd.org; Thu, 19 Sep 2013 11:30:54 -0700 Received: from mailanyone.net by fuseout2d.electric.net with esmtpa (MailAnyone extSMTP glenn@bnetmd.net) id 1VMj0A-0000xo-2b for freebsd-questions@freebsd.org; Thu, 19 Sep 2013 11:30:54 -0700 Message-ID: From: "Glenn McCalley" To: Subject: how to tell which process call sendmail Date: Thu, 19 Sep 2013 14:30:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Outbound-IP: 10.86.10.84 X-Env-From: glenn@bnetmd.net X-PolicySMART: 1273431 X-Virus-Status: Scanned by VirusSMART (c) X-Mailman-Approved-At: Thu, 19 Sep 2013 19:04:53 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Sep 2013 18:47:13 -0000 So, some idiot is using a cgi or php or something to send mail out of his website that he shouldn't be sending. With a bunch of sites on the server, can't tell who. System accounting can tell me that sendmail was executed 32,976 times, but is there a way to tell what process /file name called it each time? Since it's always called by the www user that doesn't help -- I need to distinguish between legit processes that call 5 or 10 in a day and the idiot who calls the other 31,000 times. Thanks! Glenn.