Using mailgraph, I noticed a huge amount of outbound emails leaving a client's server, and an even larger number of emails being bounced. Many of these outgoing emails leave a log of: Jan 24 00:40:49 mail postfix/qmgr[19462]: E56095D173A: from=<>, size=17458, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: EA3D15D1BF7: from=<>, size=6695, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: E1CE45D1CAD: from=<>, size=6699, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: EB1095D1C74: from=<>, size=6937, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: EFF5B5D14C4: from=<>, size=16613, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: E86C25D1CA8: from=<>, size=6937, nrcpt=1 (queue active) Jan 24 00:40:49 mail postfix/qmgr[19462]: EAE665D1697: from=<>, size=6641, nrcpt=1 (queue active) There are hundreds of logs like this. I've got this funny feeling this isn't a good thing. Any ideas? Edit: I ran a postsuper command to clear out a queue, and some 2300 odd messages were deleted. I have a feeling that a simple account may have been compromised, such as creating a user named abuse. There was also an info account, and I've changed the password. I noticed most of the above outbound emails happened at 1AM, and lasted until 2AM.
These are bounce messages. The behaviour that you describe might be caused by a compromised account or another possibility is that its a spam attack. Someone is sending spam emails from another server (not yours) but uses a sender email address of a domain that is hosted on your server. All undeliverable messages are going now to your server and if one of the addresses does not exist on your server, it sends a bounce message back.
Thanks Till, your is reply is always appreciated. Well, the simple, easy-to-figure-out accounts have been either deleted or modified, and with the queue cleared out, the problem seems to have been solved. Judging by last night's logs, I we only sent out and handful, and not the thousands we were doing previously.