A year ago my server sent spam mails and I did not notice it for a long time. Only because a second spammer sent a massive 90k spam mails in a very short timeframe did we notice that because the server resources were maxed out.
After changing the probably-too-weak passwords on the affected mail accounts I added monitoring to the number of mails that the server sends per day, and set a warn limit of 600. Yesterday I received such a warn mail:
From: munin@example.org To: cweiske@example.org Subject: Munin notification ahso Date: Mon, 13 Nov 2017 15:30:33 +0100 (CET) ahso2 :: ahso2 :: Postfix statistics CRITICALs: delivered is 1706.00 (outside range [:600]).
I immediately stopped postfix and checked the server to see what was going on. Munin's mails-sent-today chart showed a sudden spike from 1500 handled mails that day to 4500, clearly some spam wave:
The mail.log had a large number of mails sent by a single authenticated user, so that user's password was apparently not secret anymore. I changed it to a complicated one and cleaned postfix queue.
The problem is solved for now, but I guess I have to install something like policyd that limits the amount of mails sent by single users, so that such spam waves cannot get so big.