Actually I just found this in the EXIM main log for that time (2011-03-09 04:50:18)
Code:
2011-03-09 04:50:18 1PxGyA-0004LC-Hl <= swicom@spywareinfoforum.info U=apache P=local S=929 T="SWI Webform" from <swicom@spywareinfoforum.info> for cfo@spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl remote host address is the local host: spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl == cfo@spywareinfoforum.info R=lookuphost defer (-1): remote host address is the local host
2011-03-09 04:50:18 1PxGyA-0004LC-Hl ** cfo@spywareinfoforum.info: retry timeout exceeded
2011-03-09 04:50:18 1PxGyA-0004LE-JC <= <> R=1PxGyA-0004LC-Hl U=mail P=local S=1803 T="Mail delivery failed: returning message to sender" from <> for swicom@spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl Completed
2011-03-09 04:50:18 1PxGyA-0004LE-JC remote host address is the local host: spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LE-JC == swicom@spywareinfoforum.info R=lookuphost defer (-1): remote host address is the local host
2011-03-09 04:50:18 1PxGyA-0004LE-JC ** swicom@spywareinfoforum.info: retry timeout exceeded
2011-03-09 04:50:18 1PxGyA-0004LE-JC swicom@spywareinfoforum.info: error ignored
2011-03-09 04:50:18 1PxGyA-0004LE-JC Completed
So that tells us what the event was. There is just that one sequence but I guess the retries acccount for the large number of 'Invalid local domain' items in the logwatch report (there were around 20 of them, all for the same timestamp).
Someone browsing old domain spywareinfoforum.info was trying to send mail to a mail box in that domain. New mystery! There shouldn't be any 'send email' buttons there - must investigate.
Thanks very much for taking an interest!