On 12/17/2015 4:03 PM, Ben Greenfield wrote: > Thank your for the tips. > > I just found this which looked wrong to me. > > I got this 433039B83D9A message id from the bad message sent by > bjbear...@cogs.com <mailto:bjbear...@cogs.com>. Then I traced it > back and see the message id come from an actual user, rgarrity. > > Am I reading that correctly is that what happened? > > 12/17/15 4:02:24 PMpostfix/smtpd[13501]433039B83D9A: > client=unknown[190.254.55.184], sasl_method=CRAM-MD5, > sasl_username=rgarrity > 12/17/15 4:02:38 PMpostfix/cleanup[13595]433039B83D9A: > message-id=<48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com > <mailto:48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com>> > 12/17/15 4:02:38 PMpostfix/qmgr[12965]433039B83D9A: > from=<bjbear...@cogs.com <mailto:bjbear...@cogs.com>>, size=658, > nrcpt=1 (queue active) > 12/17/15 4:02:38 PMpostfix/smtp[13666]433039B83D9A: > to=<mven...@niu.edu <mailto:mven...@niu.edu>>, > relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=14/0/0/0.27, > dsn=2.0.0, status=sent (250 2.0.0 Ok, id=13051-16, from > MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5833E9B83DA3) > 12/17/15 4:02:38 PMpostfix/qmgr[12965]433039B83D9A: removed >
User rgarrity is spamming. Most likely the password got phished/compromised. Disable that account or manually change the password. The messages from 127.0.0.1 are the output of your content_filter, and normal. As you correctly did above, you must look at the message where it first enters postfix before the content_filter. -- Noel Jones
