Since Mar 30, our server was boomed by almost one million emails, it appears that those emails use our server as relay and to boom many email accounts with a @yahoo.com.ph and *yahoo.com.tw address.
I have to stop the server and rename the SMTP outgoing queue folder, then manually block those IP that keep sending us emails.
Look like this hacking email can by pass out security and from the log they do not need to log into our server and the relay just process automatically. I did not change any setting except have try to allow the Facebook login. Still don't know if it is some wrong setting on the Facebook login method, so on April 3, I quickly disable the Facebook login method also. But as these hacking email already create a hug back log of emails, plus many thousand email was bounced back from these @yahoo.com.ph and @yahoo.com.tw addresses, so just the SMTP log file each day for that 4 days are between 389M to 1.4G size. So it is impossible for me to browse through the log file manually.
What I manage to do is to extra the very first few minutes log file and see if any of you can figure out what has happen. Our server was updated to version 9.72 on April 3, and in the beginning I thought may be there are bugs in the new version as the server take forever to restart. Only later I found out that there were over 600,000 emails in the SMTP outgoing queue folder.