Someone is faking smtp authentication on our server and sending out emails. This is from header of one of such emails -
Received: from 18.104.22.168 (account <firstname.lastname@example.org> HELO domain.com) by domain.com (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 086072675 for <email@example.com>; Fri, 7 Oct 2011 16:35:15 +0600
(our actual domain name substituted by domain.com)
Even the maillog shows firstname.lastname@example.org
as authenticated but there is no such user as email@example.com
in our user list. I checked main.cf, it seems normal.
Any clues on how this is happening. I need to block it immediately before our domain gets marked for spamming.
Thanks in advance for helping.