> You can add this to main.cf: > > smtpd_sasl_authenticated_header=true > > This will add the SASL authenticated user to the received headers which > allows you to see who's account was used. > > Kind regards, > > Martijn Brinkers
Thanks Martijn, but if the SASL user gets put into the headers, then doesn't that just meant that the recipient will see who the message came from, rather than the administrator - me? > Try to find sasl login log entries in your log file and try to relate them > to the outgoing spam. If you can't find sasl logs related to the spam then > the spammer is probably on your network and using your postfix as a relay > (permit_mynetworks), this could be a virus on a computer. You can check the > ip of the smtp clients in the logs. > > YoungGuns This is what I've been trying to do, but the mailserver is so busy it's almost impossible to match up authentication with sending > > Trace the QUEUEID in the logs to see where the messages > entered postfix. Then you'll have a better idea how to stop it. > > All mail must enter postfix, so you stop spam when it enters. > > -- Noel Jones Great tip, thanks Noel. It lead me straight to the answer. It turns out the spam was being sent out by www-data - one of our websites had a somewhat careless design which would accept registrations from anyone, and mail updates to the whole list. We got a load of made up robot sign-ups and hence loads of bounces. It seems to me it would be useful to have a logwatch script that will produce a report listing how many emails were sent by each authenticated user. It would then be very obvious to an admin if a user's account was being abused by spammers. I might try and write one and post it on here. Thanks again, Daniel Howard
