This morning there were a lot of SPAM email messages sent through our server from one of our clients' legitimate email accounts. I'm trying to determine whether it was their email account or the server itself that was hacked. If I go to Mail Delivery Reports > View Relayers I get about 34 pages of details for this account. One of the examples is provided below. It appears that the server is being used as a SMTP relay. As best I understand it this means the email account itself is compromised correct? Or could it be something else? I'm already changing the password while I continue to look into this.
Event: success success User: xxxxxxx Domain: xxxxx.com Sender: [email protected] Sent Time: May 22, 2014 11:07:11 AM Sender Host: 03b553ef.pediting.me Sender IP: 220.127.116.11 Authentication: forwarder Spam Score: Recipient: [email protected] Delivered To: [email protected] Delivery User: -remote- Delivery Domain: Router: lookuphost Transport: remote_smtp Out Time: May 22, 2014 11:07:11 AM ID: 1WnUb5-00008h-Et Delivery Host: mx2.hotmail.com Delivery IP: 18.104.22.168 Size: 5.59 KB Result: Message accepted