This is just some notes on things I do in Postfix.

1. look for messages that are sending to multiple recipients

   grep 'postfix/smtp' /var/log/mail.log | cut -d ':' -f4 | grep -v 'connect' | grep -v warning | grep -v SSL | sort | uniq -c | sort -nr | head

2. Grab one of the identifiers and look at where it originated. This returned 47B5F826C2

   grep 47B5F826C2 /var/log/mail.log | grep 'from=' | cut -d':' -f5 | cut -d'<' -f2 | cut -d'>' -f1

3. Choose a username. This returned mail.brakzijn.nl@my.server

   grep mail.brakzijn.nl mail.log | grep RCPT | cut -d'[' -f3 | cut -d']' -f1 | sort | uniq -c | sort -rn | head

4. see the IP they are coming from, then look for the login that is associated with it

   grep 129.205.113.219 /var/log/mail.log | grep 'sasl_method=LOGIN' | cut -d'=' -f4 | sort | uniq -c | sort -rn

5. That is the user that has been hacked