Glen, What about checking the current sessions for your Default SMTP Virtual Server, that shows a machine name and IP address for open connects. I'm pretty sure there is a command line tool in windows that lets you see open TCP connects and the source IP, I thought it was NBTSTAT, but my tests were not revealing what I expected. Also of note, the relay restrictions properties page has a little check box under the allowed computers that states "Allow all computers which successfully authenticate to relay, regardless of the list above." If that is checked, then your client domain machines will be allowed to relay. We use a McAfee template on our local workstations to prevent machines from opening port 25 which will prevent most of this problem. I think it's the policy firewall, not necessarily the AV, one of my counterparts really configures that, but I run into problems all the time b/c I have to get him to make exceptions for workstations that need to send email for one reason or another - outside of outlook. Hope that helps, and hope the text only option alleviates the odd characters that showed on my previous reply earlier today.
Doug From: Glen Johnson [mailto:[email protected]] Sent: Friday, July 10, 2009 9:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.
