Determine the OS, see if it looks like it uses a package manager, look at log files (typically in /var/log). Run things like "netstat -tupan" or "sudo lsof -i" Doesn't hurt to look in /root (typical home of the root user) a good previous sysadmin may have left notes). Basic sysadmin stuff to figure out what software is running on that box.
If you see a luke login coming from a particular IP or range of IPs you could block that at the firewall level until you find the email user database.