Repeated Blacklisting

I would also check other clients connected to the wireless network that the user is using to make a VPN connection to make sure they are not infected.

Make sure the wifi is secure and someone hasn't hijacked it

Excessive blacklisting is also common when you use auto-responders or out-of-office reply mails. The problem with these is that they reply blindly to all mails, even spam mails. Spammers usually have a huge list of millions of collected email addresses and as they dont want to use their real email address as a sender they pick random addresses.

the problem here is that sometimes it reaches a random address that is unfortunately the address of a spam honeypot (Used by blacklist owners to determine who is sending spam) and as your clients exchange answers like "Sorry Mr. brown is out of office untill..." it is automatically listed as a spammer. We have had that so often, the only way to get off is to disable out-of-office and other auto-responders or use an intelligent gateway like ironport before the exchange.

Thanks for your suggestions so far.

Demazter - I will be visiting the customer tomorrow so will check each machine carefully for the registry keys.  Not sure if I can check the remote machines, but will try to gain remote access to those to see if they are infected.

Wi-Fi should be secure, although I am going to turn it off as no-one uses it (apart from us when we visit), so no need for it to be on.

kyodai - They are on a blacklist for backscatter - waiting for removal (automatic in 28 days).  When we took them over they had NDR's and DR's set to allow, so they got listed for backscatter.  This has been turned off and no further backscatter has been reported since.

What bugs me is how with ISA in the loop, that the spam is being sent out.  Surely it cannot be going via the server as spammers use their own SMTP engines and with ISA in the way would that not stop the spam?

Using the logs in ISA and editing the filter in the monitoring section to list all entries destined for port 25 and exclusing the source IP as the server and destination ip as the server, it left a list as long as my arm coming from one IP, every few seconds.

Using DHCP to track down that IP address it identified one machine - the bosses!

Checking the registry (thanks Glen) I identified the relevant entries and removed them.  I am now running MalwareBytes (4 red items so far) and will delete the temp files (which is where the HKLM \ software \ microsoft \ windows \ current version \ run  executable is being run from).

Well - I think I just saved myself from working on a Saturday - with your help!

Glad to be of assistance ;-)

This previous EE question helped me with the ISA monitoring:

http://www.experts-exchange.com/Software/Internet_Email/Email/Anti_Spam/Products/Spam_Assassin/Q_23248515.html

Good work!
ISA can be invaluable sometimes.

I was hoping it would be blocking, but it helped identify the problem straight away.

Having modified the filter to exclude the source IP which I identified as the source, there were no other IP's listed, so I am happy that the problem has been resolved.

Thanks Glen - invaluable help.

You should be able to set ISA to only allow the servers IP address outbound on Port 25, I can only assume that who ever looked after this company before you did has an ANY ANY rule for outbound traffic.

A good starting point to prevent this and other issues in the future would be to setup all outbound traffic from anything other than your server (which you would use a publishing rule for) to only allow port 80 & 443 for example.

You may find this document usefull, it is for Exchange Server but the principles should be the same with SBS:http://technet.microsoft.com/en-us/library/cc713317.aspx

smtp outbound rule only allows localhost to external!

Hmmm, must be relaying via the exchange server then?

From your link:

Summary: This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

So many links ;-)