Hi, I am not an expert on postfix so I am asking here: The server of a client of mine is sending spam. Here are some details from one of the spam emails: Code: *** ENVELOPE RECORDS active/27E70B3B1 *** message_size: 3001 2450 20 0 3001 0 message_arrival_time: Fri Jan 15 10:06:00 2021 create_time: Fri Jan 15 10:06:01 2021 named_attribute: log_ident=27E70B3B1 named_attribute: rewrite_context=remote named_attribute: sasl_method=LOGIN named_attribute: sasl_username=bounce sender: [email protected] named_attribute: log_client_name=unknown named_attribute: log_client_address=91.224.92.168 named_attribute: log_client_port=52564 named_attribute: log_message_origin=unknown[91.224.92.168] named_attribute: log_helo_name=[91.224.92.168] named_attribute: log_protocol_name=ESMTP named_attribute: client_name=unknown named_attribute: reverse_client_name=srv-91-224-92-168.serveroffer.net named_attribute: client_address=91.224.92.168 named_attribute: client_port=52564 named_attribute: server_address=foo.bar.baz.xxx named_attribute: server_port=25 named_attribute: helo_name=[91.224.92.168] named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] Does it mean that the spammer has valid credentials for user "bounce" or is the spam coming from another server and my client's server is relaying the mails? Thanks!
Yes, that looks to be authenticated as the "bounce" user, and came from client_address=91.224.92.168. Change the "bounce" password, or delete the account entirely if appropriate (fwiw, postfix does not use a "bounce" user for anything internally, so safe to delete from postfix's perspective).
