For postfix mail systems:

0. shut off the mail system

1. lock the account (usermod -L or change their password)

2. mailq -- if there are a lot of messages from one user, that's the compromised account. dump these messages. (postsuper -d )

3.a are there still a lot of messages in the queue, from spammy looking from: addresses? if so, find out who the authenticated sender on those messages is, like so:

- put all the queue IDs in a file, one per line

- cat queueid_list | while read l ; do postcat -q "$l" | grep "named_attribute: sasl_username="; done

3.b go to /var/spool/postfix and look at one of the raw queue files. should be a string you can search on like visible -- use that.

3.c get a list of all queue IDs sent by that user:

grep -Rl "" active/ defer/ deferred/ > ~/killfile

4. restart the mail system and watch for more spam activity

5. notify the users that they were compromised and need to reset their password