This is the extract of mail.log from my server. Cannot make out from where and how this mail is being sent. Code: Jun 21 20:03:00 server1 postfix/smtpd[30205]: connect from localhost.localdomain[127.0.0.1] Jun 21 20:03:01 server1 postfix/smtpd[30205]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/smtpd[30205]: 0E40F604FC3: client=localhost.localdomain[127.0.0.1] Jun 21 20:03:01 server1 postfix/cleanup[30529]: 0E40F604FC3: warning: header From: "[email protected]" <[email protected]> from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30529]: 0E40F604FC3: warning: header To: "[email protected]" <[email protected]> from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30529]: 0E40F604FC3: warning: header Subject: Your order 135-192-65423 has been successfully canceled from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30529]: 0E40F604FC3: message-id=<urn.correios.msg.0e164b0d16042c7a964d5d8bf97b0b38d4bdfcdd4c@1998273656403.rte-svc-na-i-382223ea.us-east-6.amazonpresented.com> Jun 21 20:03:01 server1 postfix/qmgr[5263]: 0E40F604FC3: from=<[email protected]>, size=2287, nrcpt=1 (queue active) Jun 21 20:03:01 server1 postfix/smtpd[30205]: disconnect from localhost.localdomain[127.0.0.1] Jun 21 20:03:01 server1 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1] Jun 21 20:03:01 server1 postfix/smtpd[29788]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/smtpd[29788]: D03EF604FE4: client=localhost.localdomain[127.0.0.1] Jun 21 20:03:01 server1 postfix/cleanup[30262]: D03EF604FE4: warning: header From: "[email protected]" <[email protected]> from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30262]: D03EF604FE4: warning: header To: "[email protected]" <[email protected]> from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30262]: D03EF604FE4: warning: header Subject: Your order 129-8117-4743 has been successfully canceled from localhost.localdomain[127.0.0.1]; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<server1.mywebsolutions.co.in> Jun 21 20:03:01 server1 postfix/cleanup[30262]: D03EF604FE4: message-id=<urn.correios.msg.9cd80ffb07ba22a96f23bd8f7a80bde13f2c1e20f99c709@1451934528984.rte-svc-na-i-966050ea.us-east-4.amazonpresented.com> Jun 21 20:03:01 server1 postfix/qmgr[5263]: D03EF604FE4: from=<[email protected]>, size=2285, nrcpt=1 (queue active) Jun 21 20:03:01 server1 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1] Jun 21 20:03:02 server1 postfix/smtpd[23414]: connect from localhost.localdomain[127.0.0.1] Jun 21 20:03:02 server1 postfix/smtpd[23414]: C0B29605029: client=localhost.localdomain[127.0.0.1] Jun 21 20:03:02 server1 postfix/cleanup[30078]: C0B29605029: message-id=<urn.correios.msg.9cd80ffb07ba22a96f23bd8f7a80bde13f2c1e20f99c709@1451934528984.rte-svc-na-i-966050ea.us-east-4.amazonpresented.com> Jun 21 20:03:02 server1 postfix/qmgr[5263]: C0B29605029: from=<[email protected]>, size=2794, nrcpt=1 (queue active) Jun 21 20:03:02 server1 postfix/smtpd[23414]: disconnect from localhost.localdomain[127.0.0.1] Jun 21 20:03:02 server1 amavis[30523]: (30523-03) Passed CLEAN, ORIGINATING LOCAL [127.0.0.1] [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <urn.correios.msg.9cd80ffb07ba22a96f23bd8f7a80bde13f2c1e20f99c709@1451934528984.rte-svc-na-i-966050ea.us-east-4.amazonpresented.com>, mail_id: hfYbFqF9aF+Z, Hits: 8.046, size: 2282, queued_as: C0B29605029, 916 ms Jun 21 20:03:02 server1 postfix/smtp[29295]: D03EF604FE4: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.1, delays=0.14/0/0/0.92, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as C0B29605029)
looks like smtp from localhost, I think as for how, probably try to check the actual contents of the message and examine headers for indications, and if you can catch the smtp connection while it's ongoing, you can see what process has that port open; also try just looking at your processes and see what's running at that time.
