From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 19 22:37:49 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 66322769
 for <freebsd-questions@freebsd.org>; Thu, 19 Sep 2013 22:37:49 +0000 (UTC)
 (envelope-from frank2@fjl.co.uk)
Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E37842E28
 for <freebsd-questions@freebsd.org>; Thu, 19 Sep 2013 22:37:48 +0000 (UTC)
Received: from [192.168.1.35] (mux.fjl.org.uk [62.3.120.246])
 (authenticated bits=0)
 by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id r8JMbeQm066798
 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Thu, 19 Sep 2013 23:37:40 +0100 (BST)
 (envelope-from frank2@fjl.co.uk)
Message-ID: <523B7CB5.307@fjl.co.uk>
Date: Thu, 19 Sep 2013 23:37:41 +0100
From: Frank Leonhardt <frank2@fjl.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: how to tell which process call sendmail
References: <F76D6286C36C49BDB153CDF656C983F3@GLENN2>
In-Reply-To: <F76D6286C36C49BDB153CDF656C983F3@GLENN2>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2013 22:37:49 -0000

On 19/09/2013 19:30, Glenn McCalley wrote:
> So, some idiot is using a cgi or php or something to send mail out of 
> his website that he shouldn't be sending.  With a bunch of sites on 
> the server, can't tell who.
>

I had a similar problem, but some time back and I can't remember 
*exactly* what I did. It was something like pointing mailer.conf to my 
own program which did some logging and then called the real sendmail. 
Actually, I might just have hacked mailwrapper directly. I think there 
was some way I managed to cross-reference to the httpd logs, or that 
might be what I tried to do and failed. Sorry - this may not be helping 
much.

Another approach might be to find some likely text in the outgoing 
message and do a recursive grep on /home.