From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 14 06:29:25 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0143C46F
 for <questions@freebsd.org>; Tue, 14 Apr 2015 06:29:24 +0000 (UTC)
Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123])
 by mx1.freebsd.org (Postfix) with ESMTP id C6E29B40
 for <questions@freebsd.org>; Tue, 14 Apr 2015 06:29:24 +0000 (UTC)
Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net
 [71.177.216.148]) (authenticated bits=0)
 by zoom.lafn.org (8.14.7/8.14.9) with ESMTP id t3E68mBL045461
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Mon, 13 Apr 2015 23:08:49 -0700 (PDT) (envelope-from bc979@lafn.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: tracing emails with sendmail
From: Doug Hardie <bc979@lafn.org>
In-Reply-To: <20150414044757.GA10829@skytracker.ca>
Date: Mon, 13 Apr 2015 23:08:48 -0700
Cc: questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C75213E0-9629-4AE7-A1BD-783ABC12BF8F@lafn.org>
References: <20150414044757.GA10829@skytracker.ca>
To: David Banning <david+dated+1429418881.347c7b@skytracker.ca>
X-Mailer: Apple Mail (2.2098)
X-Virus-Scanned: clamav-milter 0.98 at zoom.lafn.org
X-Virus-Status: Clean
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 06:29:25 -0000


> On 13 April 2015, at 21:48, David Banning =
<david+dated+1429418881.347c7b@skytracker.ca> wrote:
>=20
> All of a sudden I am getting a ton of spam being relayed through =
sendmail.
> I have around 40 legitimate users on the system - even though I have =
increased=20
> sendmail's log level to 15 - I cannot see - who is being authorized to =
relay=20
> through my server.  It gives the sender name as an eail address, =
unknown to me.
>=20
> I am guessing that one of my users has had their passowrd stolen. Is =
there s
> specific log level that tells which username is being given =
authorization
> to relay?
>=20
> Any pointers would be helpful.

I have this happen occasionally.  The way I trace it down is based on =
the propensity of spammers to send a lot of spam to invalid addresses.  =
This results in a buildup of the mail queue.  Check the mail queue and =
find one of the spam messages.  Then get the message id from it and look =
in maillog.  That will give you the sendmail pid and searching on that =
in maillog will give you the auth message info.  Often I start getting a =
bunch of bounced emails from AOL addresses and that speeds up the =
process a lot.