Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Weird mail being sent by system daemon
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 516

PostPosted: Tue Jan 06, 2015 9:38 pm    Post subject: Weird mail being sent by system daemon Reply with quote

First off, I don't have a mailing daemon on my Gentoo box. I don't need one, don't want one. In the few cases that some daemon wants to mail, it gets routed to ~/dead.letter. Fine by me.

However I'm noticing something very odd, and that's root's dead.letter filling up with lines that look like this:
Code:
41827 49201.485   27755.0     18.7  368655.7  26092.5         0


It seems one such "mail" is generated daily. But I can't figure out where it's coming from. It has to be some daemon. Logs don't indicate who sent it. The last mail was sent at 0900 this morning, and there are no cronjobs running at that time.

What could this be??
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 24

PostPosted: Wed Jan 07, 2015 12:04 am    Post subject: Reply with quote

The first number (41827) suggest a pid number
so if you did a
Code:

sudo ps aux | grep 41827


...does anything get printed to the console?

If ps doesn't report anything (i.e. not a pid), my next suggestion would be to use incron and watch the dead.letter file.
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 516

PostPosted: Wed Jan 07, 2015 7:46 am    Post subject: Reply with quote

The first number actually seems to constantly increment. The second number increments too, but gets reset to a lower value occasionally. Here's a longer excerpt:
Code:
41860 72601.168   41670.0     48.5  927522.5  54916.4         0


41861 73201.941   46702.0    453.3  1576455.6  30685.4         0


41862 73801.950   27631.0    123.6  1903699.4  37796.0         0


41863 74401.948   45957.0     11.2  -25537.5  17379.8         0


41865 23401.231   31885.0     28.7  115423.7  20599.4         0


41866 24001.476   34611.0   1421.2  913382.1  42007.4         0


dead.letter gets written by ssmtp, which complains in syslog that no 'mail' command was found, and then redirects to dead.letter. The question is, what triggers ssmtp?
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 24

PostPosted: Wed Jan 07, 2015 10:19 am    Post subject: Reply with quote

I can think of a few processes.
Near the top of the list is mdadm (raid), or any daemon that has ability to notify via email of a problem.

I would suggest to look for "root@" in the configure files. Find that configuration and you've found your offending daemon.
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 516

PostPosted: Fri Jan 30, 2015 3:15 pm    Post subject: Reply with quote

I'm still having this, couldn't figure it out yet.

It's not mdadm. No mdadm is running, and I have no RAID in the first place. Nor could I find any other daemon that's obviously set up to send mail.

weeeeeird!
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 24

PostPosted: Fri Jan 30, 2015 6:02 pm    Post subject: Reply with quote

Did you do incron and watch what hits the dead letter file?
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 516

PostPosted: Fri Jan 30, 2015 6:18 pm    Post subject: Reply with quote

digifuzzy wrote:
Did you do incron and watch what hits the dead letter file?

You mean tracking who modifies dead.letter? Well, as I mentioned, ssmtp writes it. I see no option to make ssmtp write the source PID or something like that into the dead.letter file tho.
Back to top
View user's profile Send private message
digifuzzy
n00b
n00b


Joined: 31 Oct 2014
Posts: 24

PostPosted: Sat Jan 31, 2015 5:17 am    Post subject: Reply with quote

The only left is to find who is sending the email "root@".
Beyond doing a grep -r in /etc /usr and /var for this, I've got nothing.

Sorry I can't be more help than that.
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 516

PostPosted: Sun Feb 01, 2015 9:12 pm    Post subject: Reply with quote

Finally got it figured out. It was ntpclient, which was run by cron. Got that figured out by replacing ssmtp with a dummy script that logs its parent. Man...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum