Well Ihad some small troubles with spamers on postfix I found some commands to parse logs and get the user.
Sometimes the user password was compromised, we need search the users what is sending spam like:
zgrep 'sasl_method' /var/log/mail.log* | grep "postfix/smtpd" | awk '{print $9}' | sort -n | uniq -c | sort -n | tail that return is
4342 [email protected] 20980 [email protected] Wow i see that two users login alot of times with the mailserver.