I'm getting bounced mail from a couple domains that looks like my server has been compromised to send spam. The mail comes from domains I have but not from mail users I have set up in Plesk/qmail. For example, one was sent from: From: "bucktoothed" <firstname.lastname@example.org> I need some help in knowing where to start looking for the vulnerability. I've ran chkrootkit and rkhunter and come up clean in both cases. I've also attempted looking at the /var/qmail/mailnames/domain.com/legit-user/Maildir/.sent-mail/ folders for signs of the spam but since it's coming from users that shouldn't even exist there's nothing there. I've checked my outgoing mail relay settings and it requires SMTP authentication. The domain(s) in question are not running any scripts--in fact, one only has a single .html file and an image in the httpdocs dir. I'm not sure where to go from here.