On spam List, how can I determine if we are sending spam

You should configure your firewall to block all port 25 traffic that tries to leave your network, except for those devices that should be sending the messages. That will show a compromised machine very quickly.

Simon.

I agree with Sembee, tighten up your outbound filtering. Make sure you are saving your firewall logs too.
Once you have your new filter in place make sure you test that the denied packets are indeed being logged. You can try this by opening a cmd window on a pc and typing "telnet mail.sonic.net 25" if you get a response from the mail server your filter is not working, if you don't get a response look for the block message in your firewall logs.

Most firewall have the capability to output syslog logging, I recommend the free syslog tool Kiwi Syslog (http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/)

Syslog logs are saved as .txt files and are easily searchable with notepad or even windows search. It makes it very easy to find problems like you are experiencing.

I have the firewall locked down smtp trafic should only be allowed from exchange server.   we have Exchange 2003.   On exchange server I have relays for only  computers in list 10.1.1.0 and i allow if successfully authenticated regardless of the above computer.  Is there something I am overlooking?

If the RBL you are listed on can give you an example email of abuse try and look at the headers then correlate it to your firewall logs to see when the email was send though the exchange server. Once you have that nailed down use the message tracking center in exchange system manager to find out how the message was submitted (from what pc/user).

99% of the time spyware will send the spams out directly. it's not common for them to use mapi and outlook to send them out the exchange server....

I wouldn't recommend allowing relaying by IP address. That can easily turn the server in to an open relay. Some firewalls handle NAT traffic in such a way that external traffic looks like it is coming from the firewall's internal IP address.

Ideally all relaying should be controlled by authentication only, with the administrator account excluded from being used under any circumstances.
If you have applications that need to relay through your Exchange server (by that I mean send to external email addresses - sending to internal email addresses does not require relaying settings) then use a second SMTP virtual server that is not exposed to the internet.

Simon.

here is what the listing website said --- why we ended up on site

XX.xx.xx.xx  appeared to be suspicious because it was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:

      h-XX-XX-XX-XX.sfldmidn.covad.net          (where XX-XX-XX-XX is our Nated external IP adress)

This MAY have been spamware, or it would be a misconfiguration in your mail server.  The CBL attempts to distinguish real mail server software from malware SMTP clients by expecting users to name their mail server[s] to indicate who _they_ are, not some random home PC in a generic end-user pool that's probably infected.

By causing your mail server to claim to be, for example,

mail.<your domain>

Chances are you won't be relisted.

Can someone help me figure out what I need to do to configure my exchange server correctly...

Put your domain in to dnsreport.com and see what it flags in the mail server section.
Do you route email out through the appliance? If not then you may want to consider doing that. Use a smart host on an SMTP Connector to do that. http://www.amset.info/exchange/smtp-connector.asp
On the appliance, ensure that its helo/ehlo is configure to match your dns and reverse DNS for your MX records.

Simon.

I do not have email routed through our baracuda Firewall.   However, I may investigate doing that if that can eliminate problem with server sending out spam.  I have yet to find any trojans on the server.  The dns reports shows that everything is ok with my mail set up.   However, for whatever reason extensive open relays tests do not work.  

As i side note...on my exchange server I see a process named esmta.exe. Is this the culprit?

 

I meant to say the process is emsmta.exe...is this the culprit

emsmta.exe is part of Exchange.
If you find something that you don't recognise, just put it in to Google. Legitimate file names will quickly show.
For example:
http://www.google.co.uk/search?hl=en&q=emsmta.exe

You either have to route email through the appliance, or the server needs to be configured correctly. However if the server does not receive email then you will fail some antispam tests. It is becoming more common to do a call back, where the server you are sending to tries to connect back. The theory is that a compromised home user will not have port 25 open for inbound traffic.

Simon.

The FQDN is my mail Server.   Incoming mail is coming ito the Barracuda then forwarded to Exchange.   However, I have the appliance in Inbound mode and not forwarding all email thru otbound.  I did reconfigure the barracuda to not send out NDR's .  I am not sure if that may have triggered the problem.