From owner-freebsd-questions@FreeBSD.ORG Thu Sep 19 20:13:05 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D022BB4A for ; Thu, 19 Sep 2013 20:13:05 +0000 (UTC) (envelope-from genie@geniechka.ru) Received: from s1.loshmanov.ru (s1.loshmanov.ru [188.40.115.203]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8E85926CD for ; Thu, 19 Sep 2013 20:13:04 +0000 (UTC) Received: from geniepc2011 (0894461339.static.corbina.ru [95.31.5.144]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by s1.loshmanov.ru (Postfix) with ESMTPSA id 60B74DF2CC9; Fri, 20 Sep 2013 00:12:54 +0400 (MSK) Message-ID: <5D506458BDD84DADBF90491000A5AB0D@geniepc2011> From: "Eugene" To: "Glenn McCalley" , References: In-Reply-To: Subject: Re: how to tell which process call sendmail Date: Fri, 20 Sep 2013 00:12:50 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3555.308 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Sep 2013 20:13:05 -0000 Hi Glenn, I once wrote some (quick-and-dirty) perl script that monitors network traffic and logs (for matching outgoing connections) the process command line and (if apache) the respective vhost and request. But this would not help if they are calling the sendmail program directly to inject the message into mail queue. (Unverified guess: if you temporarily remove execute permissions on it, the execution error should probably be logged somewhere?). BTW most probably that is not your user as such, but rather some abused comment form or forum script or something like that. Best wishes Eugene -----Original Message----- From: Glenn McCalley Sent: Thursday, September 19, 2013 10:30 PM To: freebsd-questions@freebsd.org Subject: how to tell which process call sendmail So, some idiot is using a cgi or php or something to send mail out of his website that he shouldn't be sending. With a bunch of sites on the server, can't tell who. System accounting can tell me that sendmail was executed 32,976 times, but is there a way to tell what process /file name called it each time? Since it's always called by the www user that doesn't help -- I need to distinguish between legit processes that call 5 or 10 in a day and the idiot who calls the other 31,000 times. Thanks! Glenn. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"