Problem solved. Recently I found that my server was being used to disseminate SPAM. I suspected my exim mail server was being used somehow as as open relay.

From mail server: telnet relay-test.mail-abuse.org 25 The results of more than a dozen tests appear in your telnet session. In my case, the results suggested that my server was not an open relay.

A suggestion was made that my system had been hacked and that I should try tcpdump'ing on the firewall when the incursion was occurring, but something else looking suspicious. Exim's logs said these emails were originating from inside my server and that the user was "apache". hmmm... "apache" is the user that runs the apache web server... I examined both the time-stamped mail server logs and apache access logs focusing on the time of one of the email batches. At precisely that time, I saw a record in the apache access log that said a particular cgi program was accessed. The culprit -- that cgi program -- was found. Used "normally", that cgi program was harmless, however it was exploitable -- and it was being exploited. -- -------------------------------------- Please do not respond in HTML Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/@public.gmane.org voice: 416-783-9826 fax: 240-269-7457 -- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml