I need your advice on how to resolve an ongoing spam problem that we've been having at work. We have two mail servers, an exchange server and an Imail server. It is our Imail server that is being attacked. We suffer nightly (and sometimes early morning) attacks where around 6,000 spam messages are sent out. This sometimes overloads the Imail queue and legitimate messages can get stuck for hours. This is a huge problem for our customers... and has been causing lots of headaches internally. We've been added to several blacklists which obviously makes things worse still.
I've been analyzing the logs and Imail config and I'm perplexed. We have open relay disabled and I don't believe that there is a compromised account. Recently, the attacker switched domains (we manage around 20). He is now using our hitekautos.com domain to send spam. He spoofs the sender address and then bcc's his victims. We do see a large amount of bad IPs hitting the server (China, Nigeria, Somalia, ect) that are being blocked by maleware-bytes. We're also using several DNS blacklists to try and reduce the spam.
We have a Cisco ASA; port 25 on our mail server is obviously available to the outside. Mail server in question is mail.rde.org
I'm attaching a recent log file that may prove useful to troubleshoot. Experts, can you see anything that will help us nail down the problem? Our mail server IPs are in the 10.1.0.0 /24 range. Internal hosts are in the 10.1.1.0/24 range. Any thoughts on how they are pulling this off and how we can mitigate the attacks?