Question How to know what domain is sending e-mail?

[PiyaphanI]

Hello,

From maillog
-------------
Jan 30 19:47:03 ns9 plesk sendmail[31397]: handlers_stderr: DATA REPLY:554:5.7.0 The message could not be sent. You are not allowed to use sendmail utility.#012REJECT
Jan 30 19:47:03 ns9 plesk sendmail[31397]: REJECT during call 'limit-out' handler
Jan 30 19:47:03 ns9 plesk sendmail[31401]: handlers_stderr: DATA REPLY:554:5.7.0 The message could not be sent. You are not allowed to use sendmail utility.
Jan 30 19:47:03 ns9 plesk sendmail[31401]: handlers_stderr: REJECT
Jan 30 19:47:03 ns9 plesk sendmail[31401]: REJECT during call 'limit-out' handler
-------------

It may be a malware on my client's website trying to send e-mail out. Outgoing limit function is working good but for further investigation, I just want to know what domain is sending?

 

[Bitpalast]

Look for lines like
Jan 30 19:32:37 <machine> postfix/pickup[3759]: 623E83EE0954: uid=30 from=<[email protected]>
Jan 30 19:32:37 <machine> postfix/cleanup[4657]: 623E83EE0954: message-id=<[email protected]>
then grep like
# grep 623E83EE0954 /var/log/maillog
to see more of the transaction.

You might also want to check the mail queue:
# sendmail -bp
or in the GUI: Tools & Settings > Mail Server Settings > Mail Queue

 

[PiyaphanI]

Peter, Thanks for your reply.

But your log is already indicated the domain name (@domain.tld from your example) and it doesn't indicate that message is not allowed to use sendmail utility. So I don't need to search for other detail for that pickup/cleanup line as they don't show any problem.
And Mail Queue doesn't tell us what message is blocked by outgoing limit. If any message has been blocked, they will be returned to sender and deleted from queue immediately. Won't remain in Mail Queue.
Also Plesk notification sent to Admin's e-mail shows only the number of "Attempts to exceed outgoing limits for domains, mailboxes and subscriptions.", not tell us what domain is trying to send message via sendmail and been blocked.

As I know, this log will show up when I disable a domain to use this option "Allow users and scripts to use Sendmail".
In case that I disable 20 domains, how to know what domain is trying to send and been blocked? As I can't see any detail refers to other info such as message ID or domain name.

If the line shows like this
-------------
Jan 30 19:47:03 ns9 plesk sendmail[31397]: 623E83EE0954: handlers_stderr: DATA REPLY:554:5.7.0 The message could not be sent. You are not allowed to use sendmail utility.#012REJECT
-------------
So, yes! I can refer to 623E83EE0954 and search for pickup/cleanup line for a domain name and more info.

------or-------
Jan 30 19:47:03 ns9 plesk sendmail[31397]: handlers_stderr: DATA REPLY:554:5.7.0 The message from (sub)domain.tld could not be sent. You are not allowed to use sendmail utility.#012REJECT
----------------
Then I can go to logs folder of that domain and use access_log to search for a script filename that tried to use sendmail or mail() function. (probably SPAM or Malware sending, not domain owner)