The merak server is installed with a series of folders for tracking mail. The \merak\mail\ directory is broken down into a couple parts. The users fall under their domain names like this \merak\mail\'domain'\'user'\. The mail when received for sending goes to the \forward\ directory. When it bounces, or fails, it goes to the \forward\retry\ directory. In here it sits and is retried in a certain sequence of times by the server. After the predetermined amount of days it finally fails with notice to the mail admin.

That huge amount of mail you see in the forward is 99% spam I am sure. Our suggestions are this:

• Make sure that the ONLY IP in the relaying field is 127.0.0.1 (if by chance your internal IPs have been spoofed or compromised)
• Stop the POP before SMTP (the spammer is in the systems cache and is not being cleared)
• Delete the mail in the forward and retry directories
• Leave the POP before SMTP option off for a day.
• Go through your SMTP log and search for AUTH. Bellow this you will see four lines of info like this: jx7r3js9e3. This is Base64 code. You can find a base64 decoder at this site: http://makcoder.sourceforge.net/demo/base64.php
• Copy the info from the logs and paste it into the decoder and decode them 1 at a time. This will give you logins and passwords of people that are authenticating on the SMTP engine.
• Track down these accounts and make sure they are not hacked accounts.

If all else fails, go to the Delivery Tab, click restore Defaults in the corner and just remove the IPs in the SMTP relay field, leaving only the 127.0.0.1 IP. There may be other options that you clicked and could be messing up the relaying so defaulting these fields is not a bad idea.