My server (Ubuntu 12.04) has recently been unable to send emails as it's IP has been blocked due to it being reported for email spam. I decided to investigate and was not pleased by what I discovered! A wireshark capture revealed an email attempted to be sent about once every 10 seconds, further investigation seemed to show that sshd sessions were being initiated which were sending tons of emails, the sshd sessions also appeared to be connected to other ips who were presumably logged in? The sshd sessions are called "sshd: root" so they are logged in as root, first thing I did was change the root password and remove all the keys. Still sshd connections are being made and are sending emails! What can I do?