On Fri, May 18, 2001 at 08:37:37AM -0600, Roger Walker wrote:
> > UID != PID
>
> Sorry, I was distracted. The UID was for apache, further evidence
> that this was done through a formmail script.
Ok... And what did your apache logs say at the time? They are logging
IP addresses, right?
> Here's the tcpserver invocation:
>
> tcpserver -p -x /etc/tcpserver/tcp.smtp.cdb -u 301 -g 300 0 smtp \
> /usr/local/bin/rblsmtpd \
> -rrbl.maps.vix.com \
> -rinputs.orbs.org \
> -routputs.orbs.org \
> -rspamsources.orbs.org \
> -rspamsource-netblocks.orbs.org \
> -runtestable-netblocks.orbs.org \
> -rmanual.orbs.org \
> -rdialups.mail-abuse.org \
> -rrbl.rope.net \
> /var/qmail/bin/qmail-smtpd 2>&1 \
> | setuidgid qmaill tai64n | setuidgid qmaill tai64nlocal \
> | setuidgid qmaill multilog +\* /var/log/rbl &
Superficially that looks ok, again kinda different from what one
usually sees.
So there are not entries in /var/log/rbl/current like:
@400000003b053761268c7a14 tcpserver: pid 16838 from 131.193.178.181?
Regards.
