Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login even when sasl.anonymous is disabled in c2s.xml.
Yesterday I noticed, that spammers are using this bug to send spam via my server, using ANONYMOUS logins. I am working on a fix. This mail is to serve as a warning. I've been able to workaround this bug by disabling "auto-create" in sm.xml, so the spammer can log in ANONYMOUS, but is not able to create SM session for not-existing account. Will keep you informed about a progress of the fix. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/