For postfix mail systems: 0. shut off the mail system 1. lock the account (usermod -L or change their password) 2. mailq -- if there are a lot of messages from one user, that's the compromised account. dump these messages. (postsuper -d ) 3.a are there still a lot of messages in the queue, from spammy looking from: addresses? if so, find out who the authenticated sender on those messages is, like so: - put all the queue IDs in a file, one per line - cat queueid_list | while read l ; do postcat -q "$l" | grep "named_attribute: sasl_username="; done 3.b go to /var/spool/postfix and look at one of the raw queue files. should be a string you can search on like sasl_username=compromised@victoria.tc.ca visible -- use that. 3.c get a list of all queue IDs sent by that user: grep -Rl "sasl_username=compromised@victoria.tc.ca" active/ defer/ deferred/ > ~/killfile 4. restart the mail system and watch for more spam activity 5. notify the users that they were compromised and need to reset their password