Can't determine (and so can't stop) the origin of abusive email

[Fathi]

Hi,
I have a PMG behind a firewall with only port 25 from the public ip address redirected to port 25 of my PMG.
In the tracking center i find the following few informations about an abusive email:

Mar 2 09:09:05 mail postfix/smtpd[4340]: connect from localhost[127.0.0.1]
Mar 2 09:09:05 mail postfix/smtpd[4340]: 6C45C14104F: client=localhost[127.0.0.1]
Mar 2 09:09:05 mail postfix/cleanup[4330]: 6C45C14104F: message-id=1359150751.37725.1676769334595.cossemail.m1060.pg.massivemail01.com1.0
Mar 2 09:09:05 mail postfix/qmgr[431]: 6C45C14104F: from=<postmaster@pmg.f.q.d.n>, size=9796, nrcpt=1 (queue active)
Mar 2 09:09:05 mail postfix/smtpd[4340]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Mar 2 09:09:10 mail postfix/smtp[4331]: 6C45C14104F: to=<m@mycompany.email.domain>, relay=Ip.v4.add.ress:25, delay=4.6, delays=0.08/0/4.5/0, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 2 09:09:10 mail postfix/qmgr[431]: 6C45C14104F: removed

I have no other software installed on PMG that could generate illegitimate email.
How is this happening ?
TIA

 

[Fathi]

From a further investigation, it seems that this happens when the email have been put in quarantine and then unquaranteened by a user. I still can't determine who has unquaranteened this email.

 

[Stoiko Ivanov]

From a further investigation, it seems that this happens when the email have been put in quarantine and then unquaranteened by a user. I still can't determine who has unquaranteened this email.

yes mails released from quarantine have a envelope-sender of postmaster@ ... (in order to prevent bounces to the outside)

You can find out who released the mail by checking /var/log/pmgproxy/pmgproxy.log

I hope this helps!