Hi folks I recently had to deal with some spam going through an ISP relay server,
when we encounter the issue we pause mail transfers / transmitting mails until we have cleaned the spam, smtpctl pause mta I found that this command was helpful for identifying the source IP grep -R -e 'sockaddr' -e 'rcpt' -e 'sender' /var/spool/smtpd/* which outputs something like this which allows for ready identification of a problem client /var/spool/smtpd/queue/e7/e7648787/e764878783110423:sockaddr: 5.134.REDACTED IP /var/spool/smtpd/queue/e7/e7648787/e764878783110423:sender: [email protected] /var/spool/smtpd/queue/e7/e7648787/e764878783110423:rcpt: [email protected] /var/spool/smtpd/queue/9c/9c850c58/9c850c58235381a8:sockaddr: 5.134.REDACTED IP /var/spool/smtpd/queue/9c/9c850c58/9c850c58235381a8:sender: [email protected] /var/spool/smtpd/queue/9c/9c850c58/9c850c58235381a8:rcpt: replyto@ redacteddomain1.com /var/spool/smtpd/queue/9c/9c109387/9c1093874ad9b2d6:sockaddr: 5.134. REDACTED IP /var/spool/smtpd/queue/9c/9c109387/9c1093874ad9b2d6:sender: [email protected] /var/spool/smtpd/queue/9c/9c109387/9c1093874ad9b2d6:rcpt: [email protected] /var/spool/smtpd/queue/9c/9cab4d35/9cab4d35b0a6dbc6:sockaddr: 5.134. REDACTED IP /var/spool/smtpd/queue/9c/9cab4d35/9cab4d35b0a6dbc6:sender: [email protected] /var/spool/smtpd/queue/9c/9cab4d35/9cab4d35b0a6dbc6:rcpt: [email protected] /var/spool/smtpd/queue/9c/9c55c9a0/9c55c9a0fd668a90:sockaddr: 5.134. REDACTED IP /var/spool/smtpd/queue/9c/9c55c9a0/9c55c9a0fd668a90:sender: [email protected] /var/spool/smtpd/queue/9c/9c55c9a0/9c55c9a0fd668a90:rcpt: [email protected] once we have cleaned the spam blocked the host and notified the customer of an issue we then resume mail transfers / transmission smtpctl resume mta Hope this helps -- Kindest regards, Tom Smyth.
