We had a customer sign up and appear to be completely normal, signed up for a normal account, paid in a normal way and behaved completely fine. However, there was an immense amount of spam complaints coming in and I finally broke down and decided to track who is to blame.

The headers suggested that it was a legitimate message that was being relayed through our server, so, here is the command I used to see who is connecting to SMTP:

cat /var/log/secure*|grep smtp|awk -F: '{print $5}'|sed 's/^.*from=//; s/\.[0-9]\{1,3\}$//;'|sort|uniq -c|sed 's/^ *//;'|sort -gnr|more

Then I confirmed in /var/log/messages which website user is authenticating with the top hitting ip addresses and cancel their account.

 

What is actually causing and smtp pid..... in /var/log/messages.. one IP occured over 15000 times, but I couldn't find it in /var/log/messages and no trace in /usr/local/psa/var/log/messages or any other file..

so..what is causing those pids?


EDIT:
Actually noticed that if I

PHP:

telnet my_server.com 25

I got a pid in secure log.. does this mean that someone is trying to relay, but doesn't get trough?