Someone is faking smtp authentication on our server and sending out emails. This is from header of one of such emails -
Received: from 126.96.36.199 (account <email@example.com> HELO domain.com) by domain.com (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 086072675 for <firstname.lastname@example.org>; Fri, 7 Oct 2011 16:35:15 +0600
(our actual domain name substituted by domain.com)
Even the maillog shows email@example.com
as authenticated but there is no such user as firstname.lastname@example.org
in our user list. I checked main.cf, it seems normal.
Any clues on how this is happening. I need to block it immediately before our domain gets marked for spamming.
Thanks in advance for helping.