I think I've stopped compromised user sending by stopping and restarting Postfix, prior to that, I've reloaded Postfix after adding/postmaping sasl_access list - that didn't help, only stopping Postfix stopped it
I'm worried that 'there is more' ? I've found one more compromised user by searching offending IP in prior maillog