>
> We had a spamming incident that began around 2:30 am that leveraged a compromised Surgemail account.  Our monitoring system caught the issue at 3:17 am, so when our help desk person started his day at 6 am he was able to identify the compromised account that the spammer was using for smtpauth.  But changing the Surgemail account's password did not stop the spamming from continuing.  Assuming that Surgemail maintained the initial SMTP authentication (which the Surgemail logs support), we restarted Surgemail on both nodes (surgemail stop; wait until the process disappears; surgemail start).  But the spamming continued.  We ended up removing the email account to halt the spamming.
>
> How should we have addressed this issue?  Is there a command that will clear any and all existing SMTP AUTH session for a particular username?
>
> Frank

Block the IP with IPTables.


Regards

Wayne