/usr/local/psa/var/log/maillog has this:
The from address in the email header of the spam is the domain name of our isp. We have 6 ip addresses on the server which don't have any domains hosted on them. 5 of those still have the default ptr from our isp (which is their domain name). I assume that's how the from address was formed.Sep 1 05:14:24 orange2 relaylock: /var/qmail/bin/relaylock: mail from 220.171.139.240:4813 (not defined)
Sep 1 05:14:25 orange2 smtp_auth: SMTP connect from (null)@(null) [220.171.139.240]
Sep 1 05:14:25 orange2 smtp_auth: smtp_auth: SMTP user : logged in from (null)@(null) [220.171.139.240]
Then I found this thread http://forum.swsoft.com/showthread.php?t=53015 with the same problem. I also tried using telnet to auth using the ptr domain but it didn't work for me. Parallels said that it is a bug which will be fixed in 8.4.1. The release notes for 8.6 says "Fixed issue with empty mail user name displayed in logs of Plesk installed on SuSE.".
My questions is, does anybody have an idea on how to fix this besides removing the unused ip addresses from the server (if that's even the problem)? And does anybody know if this is fixed in 8.6? I guess it's about time to upgrade anyways but I like to wait a few months after a release of plesk.