A hacker used a brute force attack (kept connecting and using auth to try passwords) and successfully guessed the password of one of our customers.
This was followed by a bunch of computers bashing our mail server to send a few million spams using that customers login credentials. A botnet was apparently involved as the spam originated from many IP addresses.
I have disabled the account in question until I can contact the customer and arrange for a new, stronger, password.
I have deleted all the spam that was still in queue.
I’ve checked blacklists and, where we were listed, requested removal. One automatically removes only after seven days and won’t manually remove without a $119 extortion fee. Another has had us listed since 2007 apparently because one of our customers angered someone in IRC. That’s hard to imagine.
At any rate I’ve got things as cleaned up as they can be for now.