Finding out which user is infected and sending spam
Posted on 2006-05-01
The title pretty much says it all. I've got a situation where there are about 25 users at one of my clients and their exchange server just got blacklisted for sending spam. I log in and sure enough, there are well over 300 queues to various bogus domains and such. The problem is, I isolated the exchange server from the rest of the network, which caused the queue creation to stop, but as soon as I reconnect it, the queues start building up again.
How do I find out which workstation is presumably infected with Beagle/Sasser/etc... and sending all this bogus mail to the exchange server to be sent out?