7

There's lots of sh: 1: /usr/sbin/sendmail: not found in my apache2 error.log, the problem is, I don't recall any of my site/apps trying to send mails or whatever, and I've already installed WP Mail SMTP on my wordpress blogs, which works all right, so my problem is, how do I find out which app or site is trying to do this all the time?

Edit: I did find interesting lines in /var/log/mail.log:

Jun 22 07:27:31 sm-mta[29654]: r5H8U4O1014238: to=<you@yourdomain.com>, ctladdr=<www-data@xxxx@xxxx.net> (33/33), delay=4+22:57:27, xdelay=00:00:01, mailer=esmtp, pri=63391559, relay=mx00.1and1.com. [74.208.5.3], dsn=4.0.0, stat=Deferred: 421 invalid sender domain.

I've already followed instructions to completely uninstall any mailer apps on my server like this:

apt-get remove sendmail sendmail-bin postfix
apt-get purge postfix exim4 sendmail sendmail-bin

Those annoying lines are still showing up every now and then, what do I do now?

Thanks, Shane

chicks
  • 3,793
  • 10
  • 27
  • 36
Shane
  • 261
  • 2
  • 3
  • 8

4 Answers4

5

Then this is abuse attempts for sending out spam emails.

Grep your logs for POST requests and you will find which PHP script are abused pretty fast.

e.g:

grep -R POST /var/log/apache2

UPDATE maybe your sendmail is still running?
check with:

ps auxww | grep sendmail

also

netstat -anp |grep :25

You can find the pid number of a still running daemon.

cstamas
  • 6,707
  • 25
  • 42
  • Unfortunately, I couldn't find any PHP script doing such POST request. But I did find something interesting in /var/log/mail.log: `Jun 22 07:27:31 sm-mta[29654]: r5H8U4O1014238: to=, ctladdr= (33/33), delay=4+22:57:27, xdelay=00:00:01, mailer=esmtp, pri=63391559, relay=mx00.1and1.com. [74.208.5.3], dsn=4.0.0, stat=Deferred: 421 invalid sender domain `, I've already completely uninstalled `sendmail/postfix/sendmail-bin/exim4`, how come such stuff still popping up in my logs? – Shane Jun 22 '13 at 07:39
1

You can make fake sendmail which logs what is the message. Maybe the content of the message helps you figure this out.

Another option (in case when app does not use sendmail but try to connect to port 25) is to make a fake mail server like: python -m smtpd -n -c DebuggingServer localhost:25 and catch all stuff.

spinus
  • 214
  • 1
  • 4
1

This is a known issue if you are using Drupal and SMTP module

https://www.drupal.org/node/1078106

Frode Stenstrøm
  • 111
  • 4
1

I saw these errors when accidentally passing "true" as a second parameter to error_log().

This triggers a failed attempt to log the error via email.

When writing something like error_log(print_r($foo, true)); someone may have actually typed error_log(print_r($foo), true);

error_log()

jeyrey
  • 11
  • 1