> If you don't know how your server was compromised, you must reformat the > hard drive and reinstall from scratch. > > The attacker has probably left a back door by which the attacker can gain > access and seize control of your server again, at will. Thanks for the warning Sam, that was the first thing I looked for. All evidence so far (first concern was to stop the flood) points to an open relay with mail originating from a yahoo account. The spam itself was chinese, addressed and cc-ed to seemingly random yahoo and hotmail accounts, a "dictionary attack" I think, with the bulk of it rejected and sitting in my outgoing mail queue. I have full SELinux firewalling fully enabled and am fairly closed-up except for http, email, and ftp. bob
