1
I've got a personal firewall running on my Mac (Little Snitch) and for the past couple of days, periodically, it's telling me that something is trying to connect via SMPT – but it does not tell me what is trying to connect.
I know it's none of my normal apps, as they all have rules to allow or disallow them already.
I've been denying the requests but want to find out what is trying to send an e-mail. It concerns me and makes me think it's something nasty!
Any ideas on what I can do to identify the source and see what it's trying to send?
Seems like a design flaw of the interface if it tells you something is attempting to make a smtp connection but doesn't tell you which process. Are there perhaps more details logs that exist? Besides looking at the logs itself I don't see how we can help you considering the firewall of choice doesn't even tell you what process it is. – Ramhound – 2012-12-10T14:40:07.427
@Ramhound Well, normally little snitch would tell you all you need to know, but in this instance there is no information of use.
That process is simply SMTP, and nothing more. That is the confusing part! – John – 2012-12-10T14:43:14.390
@slhck Well, that is the other odd thing, it's trying to connect to the google dns servers 8.8.8.8, 8.8.8.4 and then 10.0.0.1. What is 10.0.0.1? Some kind of broadcast attempt? – John – 2012-12-10T15:13:34.947
Ah right, ok, it's showing me that it's postfix - /usr/libexec/postfix/smtp and user _postfix (UID: 27) but that could be anything trying to send via postfix i guess. How would i then identify what is trying to use postfix? – John – 2012-12-10T15:15:08.690
Yes, that would be Google DNS and
10.0.0.1
is default gateway address if you happen to be in the same subnet. It's not a broadcast though, technically speaking. – slhck – 2012-12-10T15:15:13.277Ok, well i've been able to identify the process and it simply says it's postfix. So, i guess i now need to find a way of inspecting postfix. I have no idea how to do this. I tried sampling the postfix process but it doesn't tell me anything useful. – John – 2012-12-10T15:20:17.103
Really odd, the e-mail message seems to be trying to go to someone@johndoe.com. I've removed it from the mail queue now, will just have to see if another one appears there. Thanks for all your help!! – John – 2012-12-10T15:36:46.773