I Zimbra ZCS-7.2.1_GA_2790.RHEL5 OpenSource version on a production server in CentOS 5.8.
For the second time in a month, my server has been hacked or infected by malware, the first time he was sent over 2 million spam emails and now for the second time after 30 days, were sent over 30 thousand spam.
Spam is sent as localhost, ie, my relay is closed and you can only send as localhost. Below is some important information:
- I can not find the malware on the server;
- I have a firewall enabled on the local system (iptables) closing all (INPUT DROP) and opening only the ports required for operation of service zimbra;
- How to localhost using telnet, you can send emails with the domain and any sender to any addressee. Is this normal?
- The spam is using and how sender.

I would like the help of the community, since I am having trouble solving the problem. For the second time I am in the list of spam PSBL.

Follows below log
PSBL spamtrap mail for 200.198.6.pdf