1

My email service provider has informed me that I keep hitting my daily SMTP quota limit and has identified one of my servers as sending email from a root account.

I've disabled any cronjobs that were sending emails and then checked my mail logs and syslog and can see the mail process they're referring to is still running each minute.

However, it's not running from the cron, and appears to be a standalone SMTP process.

tail -f ./var/log/syslog Jul 15 09:25:02 serveralias sSMTP[1359056]: Creating SSL connection to host Jul 15 09:25:03 serveralias sSMTP[1359056]: SSL connection using ECDHE_RSA_AES_256_GCM_SHA384 Jul 15 09:25:06 serveralias sSMTP[1359056]: Sent mail for [email protected] (221 2.0.0 Bye) uid=1000 username=not-root-account outbytes=1332 Jul 15 09:26:01 serveralias sSMTP[1359129]: Creating SSL connection to host Jul 15 09:26:03 serveralias sSMTP[1359129]: SSL connection using ECDHE_RSA_AES_256_GCM_SHA384 Jul 15 09:26:05 serveralias sSMTP[1359129]: Sent mail for [email protected] (221 2.0.0 Bye) uid=1000 username=not-root-account outbytes=1332

Is there a way I can identify this process and see what it's doing? OS is Ubuntu Server 20.04

Improve this question
3
  • Did you try to get user and process with: lsof -i:25 Commented Jul 15, 2021 at 10:12
  • Just managed to capture the process I think - root@serveralias:/# lsof -i:25 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sendmail 1362800 not-root-user 3u IPv4 17532561 0t0 TCP host.serveralias.com:56306->sub5.mail.dreamhost.com:smtp (ESTABLISHED) . Tired it again a minute later to capture the next one, the ID obviously changes but the DEVICE remains unchanged. Can I use the "device" to track down the culprit? Commented Jul 15, 2021 at 10:38
  • I would use: "ps aux | grep PID" to get the exact process Commented Jul 15, 2021 at 10:41

1 Answer 1

Reset to default
2

In this case, i would do a quick and dirty wrapper around sendmail command which is usually used to send email from process, crontab, etc.:

  1. Rename original sendmail to sendmail.real: mv /usr/bin/sendmail{,.real}

  2. Write the following script as /usr/bin/sendmail:

    #!/bin/sh calling_process=$(ps ax -o pid,cmd|grep -P "^[ ]*${PPID}"|awk '{print $2}') echo "${date}: Called by ${PPID} (resolves as ${calling_process})" /usr/bin/sendmail.real $*

  3. Put the right permissions on the script (chmod 755 /usr/bin/sendmail`).

This must be enought :)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.