Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login
even when sasl.anonymous is disabled in c2s.xml.
Yesterday I noticed, that spammers are using this bug to send spam via
my server, using ANONYMOUS logins.
I am working on a fix.
This mail is to serve as a warning.
I've been able to workaround this bug by disabling "auto-create" in
sm.xml, so the spammer can log in ANONYMOUS, but is not able to create
SM session for not-existing account.
Will keep you informed about a progress of the fix.
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/