tracing emails with sendmail

Tue Apr 14 06:29:25 UTC 2015

> On 13 April 2015, at 21:48, David Banning <david+dated+1429418881.347c7b at skytracker.ca> wrote:
> 
> All of a sudden I am getting a ton of spam being relayed through sendmail.
> I have around 40 legitimate users on the system - even though I have increased 
> sendmail's log level to 15 - I cannot see - who is being authorized to relay 
> through my server.  It gives the sender name as an eail address, unknown to me.
> 
> I am guessing that one of my users has had their passowrd stolen. Is there s
> specific log level that tells which username is being given authorization
> to relay?
> 
> Any pointers would be helpful.

I have this happen occasionally.  The way I trace it down is based on the propensity of spammers to send a lot of spam to invalid addresses.  This results in a buildup of the mail queue.  Check the mail queue and find one of the spam messages.  Then get the message id from it and look in maillog.  That will give you the sendmail pid and searching on that in maillog will give you the auth message info.  Often I start getting a bunch of bounced emails from AOL addresses and that speeds up the process a lot.