how to immediately disconnect certain missused account ?

[Loriel]

Hello All,
we are facing a phishing attack at our site. A lot of users was hijacked. The attacker sends thousands of themaleficent mails via our Roundcube server.
So, I can realise which user account it was (roundcube DB, table identities -> user_id -> table users -> username).
But, even if I changed the user password the attacker was still sending via roundcube. Even if I removed a session_id from  session table it was still sending it's damned spams.
The only thing that finally stopped the evil session was restart of the server 

Could you please advice the better way to terminate the evil session, or maybe there exist some more elegant way to kick-off the attacker?

Regards
Loriel

[alec]

Maybe you should just restart the smtp server.

[Loriel]

It does not help  .
We are using delivery scheme postfix at localhost (roundcube server itself),without autentication -> postfix at relayhost. Relayhost allows to relay from the roundcube server.
May be I should set up authorized SMTP at roundcube server?