Digging into the logfiles, I could not find the spammer (64.129.70.219) had used SASL....
All SASL authentications seemed legitimate (coming from an ISP in the same country), or from within my_networks. It would have given me something like this right ? client=unknown[64.129.70.219], sasl_method=LOGIN, sasl_username=xxxxxxxxx Unfortunately, the IP of the spammer is nowhere to be found in my postix logs, except for my Amavis logs : Nov 7 11:22:55 mail01.cq-link.sr /usr/local/sbin/amavisd[603]: (00603-16) Passed CLEAN, [64.129.70.219] [64.129.70.219] <[EMAIL PROTECTED]> -> < [EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: 80bDaGSM6lUa, Hits: 2.852, size: 511, queued_as : 0D90A5F457D, 3849 ms And in the end amavis starts blocking him : Nov 11 08:43:08 mail01.cq-link.sr /usr/local/sbin/amavisd[22027]: (22027-05) Blocked MTA-BLOCKED, [64.129.70.219] [64.129.70.219] <[EMAIL PROTECTED] gov> -> <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED] m>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED] hk>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED] .com>, Message-ID: <[EMAIL PROTECTED]>, mail_id: pkABmjwsgQrI, Hits: 4.223, size: 1493, 39548 ms appearantly the guy got himself on a blacklist there... But how can I further trace how he got in ? -----Original Message----- From: Wietse Venema [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 12:34 PM To: Jaap Westerbeek Cc: postfix-users@postfix.org Subject: Re: Spammers abusing my postfix box Jaap Westerbeek: > Supposing it IS a hacked SASL account, is there any way to stop that > rewriting process ? Or to know which account was being abused ? > Forcing all users to do a password change is not really an option with so > many accounts. Postfix logs the SASL user name to the maillog file. Wietse -- I am using the free version of SPAMfighter. We are a community of 5.6 million users fighting spam. SPAMfighter has removed 920 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message