Analysing the mail.log

To determine the 'busiest' domains in terms of the number of emails passing through the server:

awk -F[\<\>] '($2 ~ /@/){print $2}' /var/log/mail.log \
  | awk -F\@ '{print $2}' \
  | sort | uniq -c | sort -n

To see which addresses at a particular domain are being targeted - scans all mail.log files:

zgrep @yourdomain /var/log/mail.log* | awk -F[\<\>] '{print $2}' | sort | uniq -c | sort

To find the message id of emails sent to a particular domain - scans only unzipped mail.log files:

grep @yourdomain /var/log/mail.log* | awk '{print $6}' | sort | uniq | sed 's/://'

Check the status of messages sent to a particular domain:

grep @yourdomain /var/log/mail.log* | grep stat= | sed 's/.*stat=//' | sort | uniq -c

List the message id's of messages that appear more than a certain number of times (200 in this example) in the unzipped mail.log files:

awk '{print $6}' /var/log/mail.log* | sort | uniq -c | awk '($1 > 200)' | sort | sed 's/://'

to remove extraneous lines from the output you can place a condition at the start such as:
'($6 ~ /^k/){print $6}'

In our case, this returned a list as follows:

    226 k9SMmVcP014826
    233 k9RCIgRw003033
    238 k9R2Xubr029996
    313 k9OKlqXl025589
    530 k9SIl9xq018350
    617 k9Q1TTqd015669

The next step is to see what the status is of these messages:

grep k9Q1TTqd015669 /var/log/mail.log | head -1

Or, if they're still in the queue you can read the email content from the spool file:

more /var/spool/mqueue/*k9Q1TTqd015669

And, if it looks like this message is spam you can remove it from the queue permanently:

rm /var/spool/mqueue/*k9Q1TTqd015669

you will probably need root access to delete these files

References