You need to hit the Exchange logs and see where the message is originating from. Perhaps a web server you have that has been compromised and is relaying through your Exchange server. Or a users Outlook....
Hit the Exchange logs. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:bounce- > [EMAIL PROTECTED] On Behalf Of David Stafford > Sent: Friday, April 25, 2008 10:29 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > No..I am not an open relay. I have tested and we are not. I also > used > mxtoolbox.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Holstrom, Don > Sent: Friday, April 25, 2008 10:05 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > I have been using mxtoolbox.com, for, among other things, to test if my > e-mail server allows relays. Has anyone experienced any reason I > shouldn't be using this nice site? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Brett > Fernicola > Sent: Friday, April 25, 2008 9:57 AM > To: Exchange Discussions > Subject: RE: E-mail/Spam blasts on Exch 2003 > > Do you allow relaying; make sure you're not an open relay. Only allow > authenticated Outlook clients to send email from your server. This > will > stop most inside garbage email Trojans, unless the Trojan is smart > enough to piggy back off of outlook. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Dave > Stafford > Sent: Friday, April 25, 2008 9:45 AM > To: Exchange Discussions > Subject: E-mail/Spam blasts on Exch 2003 > > Hopefully someone can give me some help or guidance. > > I am having a problem with my 2003 Exchange server (on a Win2k3 box) > where I will get a blast of NDR's all with the same subject. This last > 15 -10 minutes and then stops for anywhere from a few hours to 3 days > and then happens again. Thought someone was spoofing me at first but I > was able to match up a lot of the outbound errors in the error log with > messages getting bounced back. It appears to be sending from my mail > server. > > I have done numerous scans with almost everyone's AV package out there > (Symantec, Sophos, Kaspersky etc...) and came up with one or two > little > things but most were easily removed and did not appear to be of the > type > that would fit this kind of activity. Anyone have any thoughts on > what's > going on or how to isolate the issue. > > Thanks in advance > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklis > t.com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklist > .com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > dl.sparklist. > com > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to leave-37407564- > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
