> What we're seeing is a spammer who's sending mail by an smtp connection > to exim from the localhost (127.0.0.1). > The logs don't show us what user is making the connection. We really > need to allow mail from 127.0.0.1 or our webmail won't work. > Any ideas on how we can search this?
Does fuser(1) help any? fuser + netstat? Do you allow logins to the box? Is anyone logged in? If you declare an emergency maintenance window and take down webmail for 5min, does that change anything? (is webmail being abused some weird way?) You have intrusion detection? Does it show changes to any files? port scan? /var/log/warn? fully patched? /Randall
