So last week a clients server had a user account hacked, then abused to send bulk spam.
Telecom handled the problem really well.

1st they rang the business owner the next day "your email has been blocked, you are sending so much spam you will shut down the internet" apparently the guy said that 4 or 5 times.

At this point the problem hadn't been identified. I assumed some kind of open relay was created by the techs who installed a scan to email machine a few weeks earlier, and it had been exploited. I ensured there was no relay, turned on maximum event logging.

Next day there was more spam, but I had enabled logging so saw that an IP from germany was loggin in as a local user, and delivering bulk email.

I changed the password/ hardened the password policy, cleared the queues, and thought all done.

Email still wasn't going, senders were bouncing immediately  from the backup mx server hosted by xtra (wierd I thought).

Got xtra to delete the backup record, screw it I thought we'll add it back later.

Still no email, xtra perpetually denied it was them, just wait! can take 24 hours to remove the block (obviously xtra don't manage such things themselves its outsourced to yahoo i bet)

Then several calls later they admitted the server got blacklisted, not by any reputable blacklist (I had been checking) but by xtra, apparently they have their own blacklist, that you can't know about or check yourself, real helpful.

Now a full week later, and after emails had worked again, mail outbound to xtra are borked once more.