OOO And I had a story when, at the time of hacking the server, I found the left file, started looking for something and how.
Found "Irk Demon" delved into its settings, there was a login password to enter the irk channel.
I entered, hung for 2 days, then showed signs of life, they kicked me, but then they wrote in a personal message, they say, how did I get on this channel?
I said that a friend suggested ... I was kicked out of the server, the next day I came back, then the dude gave a command to the bots, they say everything is ahtung,! , he said that he sells servers to spammers, for 50-100 bucks apiece.
he himself is from Malaysia, he told how he got on my server ... he said that I deleted everything correctly. we said goodbye :)
And it was so funny to watch how he gives commands to the irk bot ...
PS there were a maximum of 250 "servers" in the channel

Exactly the same situation was half a year ago on a Debian server at home. Even the provider banned "for viruses". Then I demolished sendmail and installed it only recently. So far, there are no problems, maybe some update has solved it, or maybe when I demolished all the bad things, it was rubbed off.
By IP, by the way, these were Google servers somewhere closer to Australia, which was very surprising oO

It was necessary to enlist the support of the system administrator in advance.
It is not necessary to take a person on the staff - there are many proposals for outsourcing. Angrily and inexpensively, but you will be insured against such situations.
Nothing prevents you from contacting him now and auditing the server. Google to the rescue and good luck!

The admin was, but did not live up to expectations, so now we are a little without him. None of the familiar admins have yet been able to solve the problem.

habrahabr.ru/blogs/sysadm/112789/
habrahabr.ru/blogs/sysadm/112908/

Usually they set a limit on sending messages per day; bots lose interest in such hostings.

First, you need to determine where spam is being sent from. Either you have an open relay, or using a vulnerability in scripts. Try looking at the sendmail logs or http/nginx logs. It is convenient to analyze nginx logs by sorting them by a query string like this:
cat nginx_log | awk '{print $7}' | sort | uniq -c |egrep 'http|ftp'
egrep is done because with vulnerabilities in scripts, requests may look like index.php?f=http://anydomain.tld/somefile.txt

I would advise you to contact the administrator all the same. It is necessary to find out exactly how spam is sent. Maybe you have an open relay? Or a vulnerable script?