Fresh YH Install used as SPAM relay?

Hey,

I set up a fresh install of yunohost yesterday, with one user and transmission installed - and my provider shut it down around 3:00 after some wired network activity (online.net).

Is it possible that my server was used as a mail proxy? For SPAM or something?

Around 19:44 some wired login attempts show up in the mail.log:

Feb  8 19:44:48 MYSERVER postfix/smtpd[24246]: connect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb  8 19:44:49 MYSERVER postfix/smtpd[24246]: disconnect from wsip-24-234-54-82.lv.lv.cox.net[24.234.54.82]
Feb  8 19:45:37 MYSERVER postfix/master[14149]: terminating on signal 15
Feb  8 19:45:38 MYSERVER postfix/master[25578]: daemon started -- version 2.11.3, configuration /etc/postfix
Feb  8 19:45:38 MYSERVER dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
...
Feb  8 23:48:13 MYSERVER rmilter[26724]: <f7b3229704>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2375 ([113.64.235.50])
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: lost connection after MAIL from unknown[113.64.235.50]
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb  8 23:48:16 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb  8 23:48:16 MYSERVER rmilter[26724]: <0d1e40c3d8>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:3400 ([113.64.235.50])
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]

and nearly around midnight the server seems to get a Mail? (from the mail.warn)

Feb  8 19:58:19 MYSERVER dovecot: log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
Feb  8 23:48:15 MYSERVER postfix/smtpd[29132]: warning: Illegal address syntax from unknown[113.64.235.50] in MAIL command: xo@ore.net

the auth.log shows some root activity by the user i added through the admin interface on yunohost, but maybe that is normal for the user?:

Feb  8 19:57:45 MYSERVER sudo:    admin : TTY=unknown ; PWD=/var/cache/yunohost/from_file/transmission_ynh-53248789250980/scrip$
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user root
Feb  8 19:57:45 MYSERVER sudo: pam_unix(sudo:session): session closed for user admin
Feb  8 20:01:13 MYSERVER su[28782]: Successful su for YHUSER by root
Feb  8 20:01:13 MYSERVER su[28782]: + ??? root:YHUSER
Feb  8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session opened for user YHUSER by (uid=0)
Feb  8 20:01:13 MYSERVER su[28782]: pam_unix(su:session): session closed for user YHUSER
Feb  8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  8 20:09:01 MYSERVER CRON[28792]: pam_unix(cron:session): session closed for user root

syslog has a lot of postfix activity

Feb  8 23:48:18 MYSERVER postfix/smtpd[29132]: connect from unknown[113.64.235.50]
Feb  8 23:48:18 MYSERVER rmilter[26724]: <3a4a60fb43>; accepted connection from MYDOMAIN.LTD; client: 113.64.235.50:2201 ([113.64.235.50])
Feb  8 23:48:20 MYSERVER postfix/smtpd[29132]: lost connection after AUTH from unknown[113.64.235.50]
Feb  8 23:48:20 MYSERVER postfix/smtpd[29132]: disconnect from unknown[113.64.235.50]

Did you remember if you have done a su command ?