Date: Mon, 13 Apr 2015 23:08:48 -0700 From: Doug Hardie <bc979@lafn.org> To: David Banning <david+dated+1429418881.347c7b@skytracker.ca> Cc: questions@freebsd.org Subject: Re: tracing emails with sendmail Message-ID: <C75213E0-9629-4AE7-A1BD-783ABC12BF8F@lafn.org> In-Reply-To: <20150414044757.GA10829@skytracker.ca> References: <20150414044757.GA10829@skytracker.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 13 April 2015, at 21:48, David Banning = <david+dated+1429418881.347c7b@skytracker.ca> wrote: >=20 > All of a sudden I am getting a ton of spam being relayed through = sendmail. > I have around 40 legitimate users on the system - even though I have = increased=20 > sendmail's log level to 15 - I cannot see - who is being authorized to = relay=20 > through my server. It gives the sender name as an eail address, = unknown to me. >=20 > I am guessing that one of my users has had their passowrd stolen. Is = there s > specific log level that tells which username is being given = authorization > to relay? >=20 > Any pointers would be helpful. I have this happen occasionally. The way I trace it down is based on = the propensity of spammers to send a lot of spam to invalid addresses. = This results in a buildup of the mail queue. Check the mail queue and = find one of the spam messages. Then get the message id from it and look = in maillog. That will give you the sendmail pid and searching on that = in maillog will give you the auth message info. Often I start getting a = bunch of bounced emails from AOL addresses and that speeds up the = process a lot.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C75213E0-9629-4AE7-A1BD-783ABC12BF8F>