On Tue, Mar 09, 2021 at 11:49:41AM +0100, Luca Bertoncello via Exim-users wrote:
> 2021-03-09 11:44:14.593 [24107] cwd=/var/spool/exim4 5 args:
> /usr/sbin/sendmail -i -f lucabert@???
> l.bertoncello@???
...
> 2021-03-09 11:44:14.770 [24109] 1lJZqY-0006Gp-JE Completed QT=0.174s
>
> Where the evil comes this sendmail-call?!?
I suspect Kaspersky library as source of this process.
There are simple ways to check it:
1. Run exim -bh under strace:
strace -s200 -e fork,clone,execve exim ... -bh ...
2. Put some wrapper script in place of /usr/sbin/sendmail, such as
-------------------------------------
#!/bin/bash
ps wwh $PPID > /tmp/sendmail.log 2>&1
exec /path/to/exim "$@"
-------------------------------------
make it executable (chmod +x /usr/sbin/sendmail), run,
then look into /tmp/sendmail.log.
--
Eugene Berdnikov
