strange emails on sendamail queue

[supportadl]

Hi to all. I see about 2.000 emails similar to this attached on my sendmail queue. I'm running Centos 5 and sendmail 8.13.8. All emails are in statud "Deferred" because destination address don't exist. I don't know how this emails arrive to my server. Only authenticated user can send mail from sendmail. I already test it. How can I see if some of my users try to send this emails? I'm not able to see this on maillog.

I have only line like this:
Jun 9 14:09:46 adlhost60 sendmail[13547]: STARTTLS=client, relay="symailserver.hsbc.co.uk"., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Jun 9 14:09:47 adlhost60 sendmail[13547]: o59BnO3Q013547: to=<"email address attached">, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32819, relay="symailserver.hsbc.co.uk" [193.108.72.62], dsn=5.1.1, stat=User unknown

Jun 9 14:19:34 adlhost60 sendmail[13547]: STARTTLS=client, relay="symailserver.hsbc.co.uk"., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Jun 9 14:19:35 adlhost60 sendmail[13547]: o59BnO3T013547: to=<"email address attached">, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32819, relay="symailserver.hsbc.co.uk". [193.108.72.62], dsn=5.1.1, stat=User unknown

Jun 9 14:30:29 adlhost60 sendmail[13547]: STARTTLS=client, relay="symailserver.hsbc.co.uk"., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Jun 9 14:30:29 adlhost60 sendmail[13547]: o59BnO3W013547: to=<"email address attached">, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=32819, relay="symailserver.hsbc.co.uk". [193.108.72.62], dsn=5.1.1, stat=User unknown

And now I see that i'm blacklisted on Topian. My server ip is 194.20.145.8.

Can you help me with this issue?
Thanks a lot.

[supportadl]

Hello!! Are there anyone can help me? Thanks in advance.

[davidanand]

Hi,

First please avoid posting your ip address on public forums.
Is the server working alone as an mail server ? Do you run apache as
well, if so do an ps aufx as well scan your ftp logs. check for users who
have uploaded cgi files on your box.

Please copy the entire header of your mail.

If you have incoming spam attacks add rbs to your box and enable spf for your domains.

[supportadl]

Hello. The server il working alone as an email server. It doesn't have any other services enable. What do you mean about

add rbs to your box

?
About email header, have you take a look to the image attach? Is it not helpful?
How can I remove the ip from the post?
Thanks a lot for your help.

[davidanand]

Hi,

I am sorry that was an typo, It was suppose to be RBL's.

It seems some one is relaying mails towards your server,
Check the logs under which user they got authenticated.

[supportadl]

Hi, I see a lot of spam going out from my server on saturday 5 june. Unfortunately I don't have log before that day. I take a look to the maillog but I don't see the username that send these emails. I only see destination addresses. Do you know how can I see it through all these lines? Thanks a lot.