We have a 10.6 server which we use for our e-mail, the only computers on the local network are a mixed between mac os x 10.6/10.7 and 10.8. We have a firewall blocking all smtp traffic out except from the server and maildistillar outbound relaying to stop any spam getting through to the outside world. As well as eset anti virus installed on all clients and server.
Recently we look to have a spammer on the network, when I check the mailq it is listing thousands of spam messages from random email addresses such as firstname.lastname@example.org , deamon messages. (see below)
F423511B1D879 3458 Wed Nov 14 00:09:28 email@example.com
(delivery temporarily suspended: lost connection with outbound.maildistiller.com[220.127.116.11] while sending RCPT TO)
The combination of all these messages are delaying legitimate mail. I checked the mail log (under smtp) and found the messages being submitted to the queue, but it doesn't list a user or source IP.
I have authenticatation setup in mail and users have recently changed their passwords.
Below are some of the actions in the smtp log of mail.
ov 14 13:00:21 companydomainname postfix/smtp: 379D511B502B6: to=<firstname.lastname@example.org>, relay=outbound.maildistiller.com[18.104.22.168]:25, delay=1202, delays=896/4.6/301/0.66, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07A5E80037)
Nov 14 13:00:16 companydomainname postfix/smtp: 0088C11B502BF: to=<email@example.com>, relay=outbound.maildistiller.com[22.214.171.124]:25, delay=1196, delays=895/0.02/301/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1A4D180060)
Nov 14 13:00:18 companydomainname postfix/smtp: 0088C11B502BF: conversation with outbound.maildistiller.com[126.96.36.199] timed out while sending MAIL FROM
Nov 14 13:00:18 companydomainname postfix/smtp: 379D511B502B6: conversation with outbound.maildistiller.com[188.8.131.52] timed out while sending MAIL FROM
These will be removed but it takes far too long. Is there anyway I can track which mac has the spam agent installed? Also is there a way in postfix to block smtp traffic from entering the queue if it doesn't match an address with the correct @mydomain.com extension?
Thanks for your time,