There are three main reasons this can happen:
- VPOP3 is configured as an open relay. That means that you have set it so that anyone on the Internet can send outgoing messages through your VPOP3 server, without logging in. The default settings in VPOP3 will prevent this from happening. Often it happens because someone has tried to configure VPOP3 to allow mobile workers to send email from outside the office, but hasn't set that authentication is required.
- A user's username/password has been compromised. This can happen because you have configured passwords that are too easy to guess, or because an email client has been used on a compromised Wifi hotspot (open hotspots in cafes etc are often targeted)
- A local PC has been compromised, eg it has a spam bot or open proxy server on it.
To tell what is going on, you need to look at a sample of the spam messages in the VPOP3 Outqueue. To do this, go to the VPOP3 settings, then Users -> Outgoing Message Queue.
Look at some of the spam messages in there. The IP Addr and Auth columns are the important ones.
- If the IP Addr values are the IP addresses of known local computers, then it is likely that those computers have some malware or unwanted proxy software on them, which is making them send out messages. You need to check those computers out.
- If the Auth column shows just one or two users, but the IP Addr values are of unknown computers (especially if they are in unexpected countries - use a WHOIS tool to check) then it is likely that that user's username/password has been guessed or stolen somehow. Change the user's password in VPOP3 and any email clients/devices used by that user. Make sure they do not use unknown Wifi access points in the future without their email connections being encrypted.
- If the Auth column is blank, but the IP Addr values are of unknown computers, then you have probably configured VPOP3 to be an Open Relay. Go to the Services -> SMTP Server settings in VPOP3. Check that SMTP Authentication is set to Required (or Require SMTP Authentication is checked on older versions) and the SMTP Anti-Relay Protection is set to Check Client IP Address. On the IP Access Restrictions tab, check that you have not allowed access from any external IP addresses with the Allow Unauth box checked.