[CentOS] Relaying of spam

Sun Feb 5 18:53:14 UTC 2006
Marcel <mbeaudry at insanitylab.com>

Hi, sorry if this isn't the right place to post, but I'm having some 
trouble figuring out a spamming issue. If anyone here can help, that'd 
be amazing.

I'm running Brian's CentOS/BlueQuartz CD, version  3.5 from Nuonce.net. 
Everything seemed to be running fine for several days until this 
morning, when I received a zillion "returned mail" notices from the 
mailer daemon. Within it, it said it was unable to complete sending to 
the following users for various reasons and blah blah blah. That's fine, 
but I never initiated the email.

In my logs, entries like the following shows up ('portal' is the name of 
the box obviously):

Feb  5 12:11:45 portal sendmail[17135]: k15EXFZf015093: SMTP outgoing 
connect on portal.xxxxxxx.com
Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: makeconnection 
(mobilemail.caii-dc.com. [209.135.227.253]) failed: Connection timed out 
with mobilemail.caii-dc.com.
Feb  5 12:12:51 portal sendmail[17135]: k15EXFZf015093: 
to=<aldara at caii-dc.com>, 
ctladdr=<username at portal.xxxxxxxxxxxxxxxxxxxx.com> (502/100), 
delay=03:39:35, xdelay=00:01:06, mailer=esmtp, pri=3188891, 
relay=mobilemail.caii-dc.com. [209.135.227.253], dsn=4.0.0, 
stat=Deferred: Connection timed out with mobilemail.caii-dc.com.

Irregardless of the errors, I can't figure out why/where the outbound 
email is being generated. There are many entries in the log like this, 
and I assume alot of it, is going through. The user never initiated it. 
It has to be the server itself?

Plus, it's using the full name of the server which is 
portal.domainname.com in the email address. It seems to only use ONE 
user's name though. AND it's ONLY using 1 user's name from a list of 
several.

The user account gets some spam every now and then with the following 
header info, then these returned emails. These emails are from the local 
server using an account that doesn't exist:

===============================
Subject:
The hottest issue we've seen this year
From:
ThePickOfTheYear2696 at domainname.com
Date:
Sun, 5 Feb 2006 08:52:47 -0600
To:
ThePickOfTheYear2696 at portal.domainname.com
===============================

Since the "pickoftheyear" account doesn't exist....

 Is there any suggestions from the group? I'm a newb at running a mail 
server, just trying to figure out what's going on. The site in question 
did have a couple formmail scripts that I deleted.

 I am interested in running chkrootkit but is there a specific package 
required for CentOS/BQ? Or just download and compile?

Thanks.

M