On 2/27/2013 2:33 PM, /dev/rob0 wrote: > I only saw main.cf and some largely irrelevant logs.
I was trying to be polite. That's all I saw too. > Do note that your system is ipso facto compromised. We know this > because it is being used by a spammer to send spam. Stop saying > you're not compromised, when we know that you are. But we don't know that his system is sending spam; another reason we need to see logs. There is enough conflicting information here that everything should be verified by evidence. I'm inclined to think this is something mundane, such as an NDR/bounce triggered by spam from some rDNS "localhost" client or maybe a phished local account. Once those are eliminated as possible explanations, we can look for more interesting problems. But now I'm guessing, which I berated others for earlier. -- Noel Jones
