My server is sending SPAM - how do I find out which user(s) are sending it?

I just received a notice from my ISP that some SPAM was sent by my email server. He included samples of the spam. Unfortunately I can't find any info in the spam to tie it to an IP number that would help me find if one of my users is infected.
I think I have the SMTP set so that it can only be used with authentication. We have had this set up for some time now (over two years at least) and this is our first instance.
I'm concerned that one of my users on a PC is infected and using their smtp authentication to send this stuff.
Any advice on where to go from here?
I have included the results of postconf -n to see if I have any configuration problems.
Thanks.
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
inet_interfaces = all
mail_owner = postfix
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mapsrbldomains =
messagesizelimit = 15728640
mydestination = $myhostname,localhost.$mydomain,localhost,zeryn.com
mydomain = zeryn.com
mydomain_fallback = localhost
myhostname = mail.zeryn.com
mynetworks = 127.0.0.1/32,65.39.65.22
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
ownerrequestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdclientrestrictions = permit_mynetworks rejectrblclient sbl-xbl.spamhaus.org permit
smtpdpw_server_securityoptions = login,cram-md5,plain
smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpduse_pwserver = yes
unknownlocal_recipient_rejectcode = 550
virtualaliasmaps = hash:/etc/postfix/virtual
virtualmailboxdomains = hash:/etc/postfix/virtual_domains
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
xserve Mac OS X (10.4.9)

A list of the emails was sent to me, but I'm not sure there is enough header info in them to tell me what I want. However, I searched the log for the "from email" and found some at about the same time in the log. Here is the header and the parts of the log dealing with this email address:
Email header? -------------
From: "alisander gianni" <[email protected]>
To: <Undisclosed Recipients>
Subject: RE: Get the size that kills with enlargement pills. Try Advanced Gain Pro ***** Enlargement Pills.
Date: Sun, 6 May 2007 07:43:43 -0700
Message-ID: <357701c78fec$f1ee7960$0801010a@lye>
MIME-Version: 1.0
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
Thread-Index: AceP7S2xF77i9UyvRp6aehJVe3GLbg==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-Sieve: CMU Sieve 2.2
X-AOL-IP: 65.39.65.21 (<-- this is my server ip)
SMTP log entries ------------
May 6 07:44:49 zeryn postfix/smtpd[2846]: warning: 60.48.247.22: hostname tm.net.my verification failed: Host not found
May 6 07:44:49 zeryn postfix/smtpd[2846]: connect from unknown[60.48.247.22]
May 6 07:44:50 zeryn postfix/smtpd[2846]: 0621623D6EDE: client=unknown[60.48.247.22]
May 6 07:44:50 zeryn postfix/cleanup[2850]: 0621623D6EDE: message-id=<357701c78fec$f1ee7960$0801010a@lye>
May 6 07:44:50 zeryn postfix/qmgr[118]: 0621623D6EDE: from=<[email protected]>, size=1847, nrcpt=1 (queue active)
May 6 07:44:50 zeryn postfix/smtpd[2853]: connect from localhost[127.0.0.1]
May 6 07:44:50 zeryn postfix/smtpd[2853]: EC70A23D6EE1: client=localhost[127.0.0.1]
May 6 07:44:50 zeryn postfix/cleanup[2850]: EC70A23D6EE1: message-id=<357701c78fec$f1ee7960$0801010a@lye>
May 6 07:44:50 zeryn postfix/qmgr[118]: EC70A23D6EE1: from=<[email protected]>, size=2231, nrcpt=1 (queue active)
May 6 07:44:50 zeryn postfix/smtpd[2853]: disconnect from localhost[127.0.0.1]
May 6 07:44:51 zeryn postfix/smtp[2851]: 0621623D6EDE: to=<[email protected]>, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=02590-09, from MTA: 250 Ok: queued as EC70A23D6EE1)
May 6 07:44:51 zeryn postfix/qmgr[118]: 0621623D6EDE: removed
May 6 07:44:51 zeryn postfix/pickup[2343]: 2501123D6EE5: uid=77 from=<[email protected]>
May 6 07:44:51 zeryn postfix/lmtp[2854]: EC70A23D6EE1: to=<[email protected]>, relay=/var/imap/socket/lmtp[/var/imap/socket/lmtp], delay=1, status=sent (250 2.1.5 Ok)
May 6 07:44:51 zeryn postfix/qmgr[118]: EC70A23D6EE1: removed
May 6 07:44:51 zeryn postfix/cleanup[2850]: 2501123D6EE5: message-id=<357701c78fec$f1ee7960$0801010a@lye>
May 6 07:44:51 zeryn postfix/qmgr[118]: 2501123D6EE5: from=<[email protected]>, size=2510, nrcpt=1 (queue active)
May 6 07:44:51 zeryn postfix/smtpd[2846]: disconnect from unknown[60.48.247.22]
May 6 07:44:51 zeryn postfix/smtpd[2853]: connect from localhost[127.0.0.1]
May 6 07:44:51 zeryn postfix/smtpd[2853]: 3949F23D6EE8: client=localhost[127.0.0.1]
May 6 07:44:51 zeryn postfix/cleanup[2850]: 3949F23D6EE8: message-id=<357701c78fec$f1ee7960$0801010a@lye>
May 6 07:44:51 zeryn postfix/qmgr[118]: 3949F23D6EE8: from=<[email protected]>, size=2874, nrcpt=1 (queue active)
May 6 07:44:51 zeryn postfix/smtpd[2853]: disconnect from localhost[127.0.0.1]
I'm not sure how to read the log file. Is there something here out of the ordinary? Does the server consider these valid users/email?

Similar Messages

  • How could I find out which user did release a transport request in the sour

    How could I find out which user did release a transport request in the source system

    Hi Tina,
    Use SE10 t-code and type abaper user name in the user field then check released check box then display and select request number which is released, double click on said request number and click on "object list of request" Then click on "comment: released" than you can find out the released user name at the end of request number along with dated of released.
    I hope you problem will be solved.
    Regards,
    Anil

  • How can i find out which apple ids are associated with my ipad

    When I sync my iPad I get the message that some songs cannot be updated because only 5 Apple IDs can be associated with an iPad. I am aware of three that we use in my family - mine and my two sons. How can I find out what other Apple IDs are associated with my iPad?

    Itunes limit includes computers. 
    http://www.ilounge.com/index.php/articles/comments/managing-devices-in-your-itun es-store-account/

  • How can I find out which table/tables are behind a view?

    I tried following with scott/tiger:
    SQL> select text from all_views where view_name = 'TAB';
    TEXT
    select o.name,
    decode(o.type#, 2, 'TABLE', 3, 'CLUSTER',
    4,
    The text after "4," is not displayed in SQL*Plus-Editor. The attribut TEXT with datatype long is not displayed fully on the screen. How can I correct it? Thank You!

    "set long 8000" before you run the query I tried it. Thank You for this correct and fast answer!

  • How can I find out which vi's are dynamic?

    I am working on a project made up of hundreds of VIs. I have to make an standalone executable version of it. I was not the original developer. Is there a way I can scan the vi's to find out which of them are dynamic? What should I be looking for as a telltale sign of being dynamic (What makes a vi dynamic?)
    Are all vit's dynamic? (I was told by my senior developer to include all vit's in the dynamic section of the build dialog box.)
    Message Edited by rashid19672008 on 02-27-2008 03:25 PM

    This is not a property of a VI, but rather a way of using it. You can call any VI either way (or both ways), so whether a VI is called dynamically depends on your code.
    One way of finding whether a VI does not have static calls is to open all the VIs in the hierarchy at the same time and then go over each of them in a loop, open a reference to it and check its "Callers" property. If the array is empty, it means that this VI is not called by any other VI currently in memory and might be called dynamically. It might also mean that it is an old VI and is not used any more.
    Another option is to create a copy of the hierarchy using File>>Save With Options. LabVIEW will only copy the VIs which are called statically and you can then compare the hierarchies for files which are only found in the original.
    Try to take over the world!

  • How to find out which user has the permission to execute startsap ?

    Hi All
    How do I find out which user has the permission to execute the startsap and stopsap? Do I control the permission on those script using windows standard authorization? For example: only allow certain user have the read and write permission?
    Thank you.!
    Vincent Lo

    Well to me this is really weird question..
    <b>noone un-authorized should have access to OS on your system</b>
    If this is valid you do not need to solve problems who can and who cannot start/stop SAP, because if you want to prevent some users from shutting down the SAP you have really hard job to do - there are many ways how to kill the SAP (for example killing relevant process from task manager, killing of database, messing with services etc.) - yes, this is harmful way of stopping SAP, but we are talking about attack, right? I would contact some Windows specialist to help you disable all the ways how to harm the running SAP. But still after that - there are many files that can be modified/deleted so SAP will crash after restart - you need to protect them too, etc.
    In case you take the first assumption as granted (and you really limit access to this server) you do not need to worry who can stop or start SAP - at the other hand it may be handy to be able to start/stop SAP from other users - for this you can run the stop/start script "under different user".
    But to answer the question - to me this is question just of access control (but really never tried that myself):
    <a href="http://technet2.microsoft.com/WindowsServer/en/library/c6413717-511e-42bd-bd81-82431afe4b2a1033.mspx">Permit or restrict access to a snap-in for a domain</a> (or see other related links down there on this page)
    Please award points for useful answers.
    Thanks

  • HT1420 How do I find out which 5 computers have been authorized?

    How do I find out which 5 ccomputers are authorised so I can deauthorise one?

    1. Open itunes store and scroll to the bottom.
    2. You will see Manage under this please click Account. This will now pop up a box asking you to sign in again.
    3. Then under itunes in the Cloud the first thing you see is manage devices.
    4. Click  manage devices and it will show you everything you have got and it gives you the option to remove and then click done, once done.

  • HT1338 HOW CAN I FIND OUT WHICH SERVER MY MAC IS USING?

    HOW CAN I FIND OUT WHICH SERVER MY MAC IS USING, KEEP GETTING MICROSOFT SQL SERVER ERRORS
    WHEN TYPING IN ADDRESS'S?

    If your computer is tied to a network, then there is a way to check. Go to System Preferences, and click Accounts. unlock Admin
    then you can click Login Options.
    under that, Network Account Server. This should show you what server your computer is tied to. If you aren't in the tech department, you could try asking them.

  • HT4519 when i try send a email off my iphone its says my house name is ,how do i find out which is the correct name?

    when i try send a email off my iphone its says my house name is wrong,how do i find out which is the correct name?

    Try deleting the account and then add it back.

  • How do I find out what Virtual Machines are hosted on a server?

    How do I find out what Virtual Machines are hosted on a server?
    I am working in a on a Windows 2008 box?
    Thanks,
    Ben
    Mr Shaw

    Hi Ben ,
    I agree with Tim .
    In addition , Get-vm came with windows 8 .
    As a workaround to use powershell to manage hyper-v please use "PowerShell management Library for Hyper-V" within following link:
    http://pshyperv.codeplex.com/
    Also :
    http://www.altaro.com/hyper-v/powershell-in-hyper-v-2008-r2/
    Best Regards,
    Elton Ji
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

  • How can we find out which application is runing UDP port 69?

    Whenever I run Cisco Network Assistant on my Windows 7 computer, I receive "The embedded TFTP server cannot start".
     netstat -an|more shows “udp 0 0 0.0.0.0:69 ...” How can we find out which application is runing UDP port 69?
    Bob Lin, MCSE &amp; CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

    These ones may help.
    Have you ever wanted to see which Windows
    process sends a certain packet out to network?
    Process
    Monitor v3.1
    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • How to find out Which SAP programs are affecting Which Z programs?

    Do we have a program/tool that can tell us the following:
    How to find out Which SAP programs are affecting Which Z programs in the entire development server?  
    We have a list of SAP programs and a list of custom u2018zu2019 programs, which ones impact each other?   I know we have a u201Cwhere usedu201D functionality, however that is at the object by object level. 
    We need are looking for something a little larger u2013
    thanks in advance
    Vishnu

    Do we have a program/tool that can tell us the following:
    How to find out Which SAP programs are affecting Which Z programs in the entire development server?  
    We have a list of SAP programs and a list of custom u2018zu2019 programs, which ones impact each other?   I know we have a u201Cwhere usedu201D functionality, however that is at the object by object level. 
    We need are looking for something a little larger u2013
    thanks in advance
    Vishnu

  • How to find out which users are using SharePoint Designer to make changes in SharePoint 2010 site?

    Hi there,
    How to find out which users are using SharePoint Designer to make changes in SharePoint 2010 site?
    Thanks.

    You need to enable auditing on SharePoint server and it will let you know, if someone makes any critical changes for the same.
    Please walk through this informative KB to enable auditing on SharePoint :https://support.office.com/en-za/article/Configure-audit-settings-for-a-site-collection-f5a346d0-ee0f-4412-a5e6-d9b5abaa1012
    Here is one more resource :
    https://support.office.com/en-in/article/View-audit-log-reports-4293e8d5-4e7d-4201-b8ac-c8e63a100131
    Moreover, if you wish to audit such critical changes automatically, you may consider on this comprehensive application (http://www.sharepointauditing.com/) that helps to track every changes on SharePoint into
    real time and provides the captured data at granular level.

  • I can't remember my security questions and have used the maximum number of tries, how do I find out what my answers are so I can log in and buy some music?

    I can't remember my security questions and have used the maximum number of tries, how do I find out what my answers are so I can log in and buy some music?

    From a Kappy  post
    The Best Alternatives for Security Questions and Rescue Mail
    1.  Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
    2.  Call Apple Support in your country: Customer Service: Contact Apple support.
    3.  Rescue email address and how to reset Apple ID security questions.
    An alternative to using the security questions is to use 2-step verification:
    Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

  • I want to update my phone, but i purchased many apps and music on the phone. it won't let me authorize my computer so i cannot update. i don't want to deauthorize all my computers. how can i find out which 5 computers i have authorized?

    i want to update my phone, but i purchased many apps and music on the phone. it won't let me authorize my computer so i cannot update. i don't want to deauthorize all my computers. how can i find out which 5 computers i have authorized? also how can i update the software?

    This is a tedious solution, which is stupid!  And some users report an inability to reauthorize a computer after an "en masse” deauthorization.  I can’t believe Apple doesn’t provide a list or menu to find out which computers you’ve authorized! Obviously, APPLE knows (or else they couldn’t tell us how many computers we have authorized)--so why can’t they give us access to that information about our own computers??!!!
    And for an already-authorized computer with a hard drive that’s since been replaced and upgraded from Mavericks to Yosemite, would it be recognized as a “new computer” and require authorization? Would its previous incarnation (i.e., with the old hard drive and OS) be considered a separate computer? Some users report they can’t authorize a computer after an OS upgrade because of that. Can’t believe we have to do such a bass-ackwards kludge!

Maybe you are looking for

  • Interactive Reports: Display data on two lines per row?

    Is it somehow possible to display a single row across two lines in an interactive report? Something like this: Row1 Field 1, Row1 Field 2, Row1 Field 3 Row1 Field 4 (spanning across the other fields) Row2 Field 1, Row2 Field 2, Row2 Field 3 Row2 Fiel

  • Classic scenario pricing error

    hai . 1.  i have configured classic scenario and try to open shopping cart.but i got an error regarding the   pricing  problem.i followed oss notes 539720 ,There i come to know that i had to activate the implementation of bbp_product_price  in the bb

  • How to Incorporate "fade" Into the Navigation Bar with iWeb?

    I started wondering about and exploring this topic in another thread. I would like to make the navigation bar shine brightly and then slowly fade whenever the cursor overlaps the navigation buttons. Does anyone have any idea how to do this? For an ex

  • "Reveal in project" greyed out and match frame problems (Premiere Pro CC 7.0)

    I'm trying to reveal a clip in project window by right clicking a clip in timeline and choosing "Reveal in project", but the function is greyed out. Is it because the clips are merged? The clips have one track of video and 1-3 audio tracks depending

  • How to test 5

    Hi. I have an audigy 4 and have downloaded mediasource 5. I want to check that my surround speakers are working and can't find any program to test this other than going into a game and trying it out. I tried it with counterstrike source and although