Thanks for the thoughts! I did take an inventory of every device that connects from inside the firewall. I have an assortment of android phones, tablets, a sony DVD that includes internet access, a Wii game, two laptops (Windows Vista and Windows 8), two desktops PC's (Windows 7 and Windows 8) as well as a Fedora 18 client machine. I have attempted to isolate each machine to see if the source of the spam is coming from any of them. It does not appear to be so.
What was interesting to me was the content of the mail queue files that I was able to see. Here is a part (edited)
::::::::::::::
qfs7509RGu027444
::::::::::::::
V8
T1407197371
K1407247771
N41
P3840488
I253/1/9935
MDeferred: Connection timed out with 110mail.net.
Fwbs
$_Dynamic-IP-1815508495.cable.net.co [181.55.84.95] (may be forged)
$rESMTP
$s[192.168.1.6]
${daemon_flags}
${if_addr}
www.xxx.yyy.zzz <-This was my public IP address
S<me@mydomain.com> <-This was my personal email address
MDeferred: Connection timed out with 110mail.net.
rRFC822;
esgf74@110mail.net
RPFD:<esgf74@110mail.net>
MDeferred: Connection timed out with mp3-world.us.
rRFC822;
spokefawovasp@mp3-world.us
RPFD:<spokefawovasp@mp3-world.us>
H??Received: from [192.168.1.6] (Dynamic-IP-1815508495.cable.net.co [181.55.84.9
5] (may be forged))
(authenticated bits=0)
by mydomain.com (8.14.5/8.14.5) with ESMTP id s7509RGu027444
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 4 Aug 2014 20:09:31 -0400
H??Full-Name: My Name
H??Subject:
H??From: nmsVIAGRA <me@mydomain.com>
H??Content-Type: text/plain;
charset=charset="iso-8859-2"
H??X-Mailer: iPhone Mail (10A523)
H??Message-Id: <5558BADB-1067-9945-5AFC-3EE804CC0818@alpha2.com>
H??Date: Tue, 5 Aug 2014 02:56:11 -0700
H??To: "ebonylance@uswest.net" <ebonylance@uswest.net>
H??Content-Transfer-Encoding: quoted-printable
Notice that this mail came in from a dynamic IP address (first clue),
the sending IP source is listed as 192.168.1.6 (second clue as this is a non-routable address and is NOT my internal net)
My sendmail is configured to NOT allow unresolvable domains, and I have turned off all internal sources of mail (localhost, etc.) I use tcpdump to watch for outgoing packets with a destination port of 25 and a source host of my public IP. I see that there is outgoing traffic, but I cannot locate it's source.
What I am looking for is a tool that might be better than tcpdump, or maybe another way to use tcpdump. I was hoping to find the originating process id for the packets...
I understand that I need to upgrade the server software. It has been running since FC 15 was current without any issues until now. If I was sure that cleaning the machine and reloading the software would solve the problem, I would do that over a week-end. I was just concerned that maybe the spammer was getting in some other way and the upgrade would not solve that problem.
Thoughts and comments are welcome.