One interesting note, when they would connect to our sendmail it would see their IP, but they were identifying themselves with a server name that was our IP address. Still not sure how they were pulling off the relay, as their IP was not in popip.db. Doesn't poprelayd only look at /var/log/maillog?
Do you have any old formmail scripts on the server? Or any scripts based on formmail (such as yform)?
Brian
