This is the type of record I get when someone authenticates to send email.
Nov 29 09:45:28 ns1 sendmail[30199]: AUTH=server, relay=[1.2.3.4], authid=smithb, mech=PLAIN, bits=0
This command will parse the log file, sort, and count.
grep "authid" maillog | cut -d ":" -f 4 | sort -n | uniq -c
36772 AUTH=server, relay=[176.222.239.10], authid=smithb, mech=LOGIN, bits=0 1 AUTH=server, relay=[24.2.3.4], authid=usera, mech=PLAIN, bits=0 8 AUTH=server, relay=[64.201.195.49], authid=userb, mech=LOGIN, bits=0 94 AUTH=server, relay=[72.201.195.4], authid=userc, mech=LOGIN, bits=0
The first user has connected to the outgoing server 37k times this week. Someone has hacked their password and is sending spam. I will save this command and find the culprit much faster next time.
I took some inspiration from this post.
http://www.oxxus.net/wiki/Mail_server_log_analyzing
