How to tell from maillog who's sending what?

[JerkyChew]

I'm looking at my maillog, and watching somebody on our system sending a ton of messages to AOL.com. This behavior has put us on AOL's spam blacklist. A quick sample of the maillog is below:

==================
Dec 10 15:14:09 servername qmail: 1134245649.549857 starting delivery 193728: msg 1881555 to [email protected]
Dec 10 15:14:09 servername qmail: 1134245649.551835 status: local 0/10 remote 9/20
Dec 10 15:14:09 servername qmail: 1134245649.556563 starting delivery 193729: msg 1881555 to remote [email protected]
Dec 10 15:14:09 servername qmail: 1134245649.556624 status: local 0/10 remote 10/20
Dec 10 15:14:09 servername qmail: 1134245649.557293 starting delivery 193730: msg 1881555 to remote [email protected]
Dec 10 15:14:09 servername qmail: 1134245649.558344 status: local 0/10 remote 11/20
Dec 10 15:14:09 servername qmail: 1134245649.560139 starting delivery 193731: msg 1881555 to remote [email protected]

==================

What can I look at to see who's causing these outbound emails?

 

[wmchurch]

Grep the maillog for the message id like so:

grep 1881555 /usr/local/psa/var/log/maillog

should show you everything pertaining to that mesage, sometimes that number could match other things so make sure it's a message id and not a file size, or other id. That should get it...

That being said, not a big fan of qmails log file.

-Bill

 

[Griffith]

I would guess this is a spammer using one of your clients contact forms.. we had that problem.. he tried to send like 15k emails to *@aol.com. You could also use qmHandle and see if some of them are queued.. and find the message.. and maybe you will be able to see where it was sent from.

 

[ShadowMan@]

We have seen a number of client PC's infected with worms which spam out to AOL recently.

For much better logging, you may want to consider installing qmail-scanner package, which will coordinate AV and SA scanning of all email in/out of server.