Mail merge sending Spam, but not from my server? Strange!

[coolemail]

Can someone please help me with this. I have Plesk 8.6 with CentOS 5.2 and ASL.

I created a mail merge in Word and sent an email to about 45 people. I then got 24 failure notices which look like my server is sending Spam:

From: MAILER-DAEMON@plesk2.server-domain.co.uk [mailto:MAILER-DAEMON@plesk2.server-domain.co.uk]
Sent: 10 October 2009 13:14
To: minifixtures@mydomain.org
Subject: failure notice

Hi. This is the qmail-send program at plesk2.server-domain.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pluadis@yahoo.com>:
216.39.53.1 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (pluadis@yahoo.com) [-5] - mta368.mail.re4.yahoo.com

<plubof@yahoo.com>:
216.39.53.3 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (plubof@yahoo.com) [0] - mta167.mail.re4.yahoo.com

<pltfsubang@yahoo.com>:
98.137.54.237 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (pltfsubang@yahoo.com) [0] - mta165.mail.sp2.yahoo.com

<plu2plu@singnet.com.sg>:
Connected to 165.21.74.117 but sender was rejected.
Remote host said: 553 5.1.8 <secured-notice@mybank.com.my>... Domain of sender address secured-notice@mybank.com.my does not exist

<pltf@pd.jaring.my>:
Connected to 192.228.251.41 but sender was rejected.
Remote host said: 553 5.1.8 <secured-notice@mybank.com.my>... Domain of sender address secured-notice@mybank.com.my does not exist

<plu@soretal.com>:
80.69.208.145 does not like recipient.
Remote host said: 553 5.1.8 <plu@soretal.com>... Domain of sender address secured-notice@mybank.com.my does not exist
Giving up on 80.69.208.145.

<plucker-dev@plkr.org>:
Connected to 72.36.135.42 but sender was rejected.
Remote host said: 553 5.1.8 <secured-notice@mybank.com.my>... Domain of sender address secured-notice@mybank.com.my does not exist

--- Below this line is a copy of the message.

Return-Path: <minifixtures@mydomain.org>
Received: (qmail 16397 invoked from network); 10 Oct 2009 13:13:17 +0100
Received: from 78-32-177-1.static.enta.net (HELO ChristophNew) (78.32.177.1)
by plesk2.server-domain.co.uk with SMTP; 10 Oct 2009 13:13:17 +0100
From: "Me \(Rugby Club Mini Fixtures\)" <minifixtures@mydomain.org>
To: <u12admin@mydomain.org>
Subject: Your RFC email address
Date: Sat, 10 Oct 2009 13:13:04 +0100
Message-ID: <067301ca49a3$0937f700$1ba7e500$@org>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0674_01CA49AB.6AFC5F00"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpJowJC1Kv7P3iyQqS1RTfbRduTpw==
Content-Language: en-gb

This is a multi-part message in MIME format.

------=_NextPart_000_0674_01CA49AB.6AFC5F00

so then I went to check all the emails that had been sent from minifixtures@mydomain.org and they were all the ones I had sent except for the following ones "to rcpts":

[root@plesk2 ~]# grep 'sent by minifixtures@mydomain.org to rcpts is passed' /usr/local/psa/var/log/maillog
Oct 10 12:09:58 plesk2 qmail-queue[10527]: scan: the message(drweb.tmp.2Jx6uN) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 13:13:25 plesk2 qmail-queue[16506]: scan: the message(drweb.tmp.R47pjw) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 13:13:29 plesk2 qmail-queue[16579]: scan: the message(drweb.tmp.4e1OZ7) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 13:13:42 plesk2 qmail-queue[16820]: scan: the message(drweb.tmp.2EQJnH) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 13:13:54 plesk2 qmail-queue[16994]: scan: the message(drweb.tmp.9Hgsna) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 13:13:56 plesk2 qmail-queue[17025]: scan: the message(drweb.tmp.V1EMtL) sent by minifixtures@mydomain.org to rcpts is passed
Oct 10 17:56:40 plesk2 qmail-queue[15670]: scan: the message(drweb.tmp.IatR2Z) sent by minifixtures@mydomain.org to rcpts is passed
[root@plesk2 ~]#

Could "rcpts" be the Spam going out? The mail queue did not show any. Yesterday I did notice some Spam. I deleted it all, and running the weak password script, it came up with one email address which I deleted, so it should not be that.

If anyone can guide me, I'd be eternally grateful. Many thanks in advance.

[scott]

It could be that those were leftovers from the older spamming event too. BTW, I just added logging into PHP 5.2.11-3 for mail() events. Its in the atomic-testing channel now

[coolemail]

Thank you, as ever, Scott. The strange thing about this Spam is that it all happened the minute I sent the maill merge, and it was those emails that were in the failure report. The Spam the day before was different (I guess) in that it was sitting in the mail queue. I'm not sure where it originated. I was baffled (and I guess relieved) that the maillog did not show up any of those emails. I need to do another mail merge and will see if it does this again.

The logging will be useful, thank you.