Here is a place to start:

Ask for mail logs related to your IP from the ISP.   This should show some of the history that your mail server sent out email to whom from whom.   Generally, this will give hints as to if this is legitimate emails, just in high volumes, or you may have malware on your server, or users machines.

Look at the System Manager, Message Tracking, verify that your server is actually the source of the the emails.  

Make sure you also turn off mail relay for unauthenticated connections even inside the network. (This helps block malware that uses internal resources of an open relay for internal)

Double check that accounts are secure.   Check the security log for accounts authenticating that really shouldn't be.  

Again, all these are hints.  

Oh yeah, and thank your ISP for covering themselves.  It's be worse if you get blacklisted at one of the internet registries.  

you need to find a source of these spam meesages. if you have an open relay, you should close it, or you'll be blacklisted by everyone.

Check your all your mail servers here.

http://www.mxtoolbox.com/blacklists.aspx

then fix the open servers and call to your ISP

If that test didn't show any problem SMTP servers on your network, it might be infected clients PCs send all that spam, but I would guess it's less probable

I do not have an open relay.

Is the only possible problem a virus infection? Or is there something I am missing?

I checked the blacklists. We are okay there as well.

If you are blocked by ISP, you should get tons of rejects from them. Look at the headers of these rejects. It probably give you a clues how it get to your network

Use IMF (Intelligent Message Filter) of MS Exchange utility to harden security on spam mailing.

Can I use IMF to only allow outbound emails from existing exchange accounts?

I have closed open relay, but I still see current sessions from random internet addresses. Is this normal?

That will happen if the exchange server is receiving mail for the domain.    Incoming mail to user@yourdomain.net.  

If you are truly using a mail relay, you shouldn't see any outgoing connections to other domains other than your smart host.

that is normal. But unfortunately that fact doesn't tell anything about the open relay. All you see is that your SMTP server accepts connections from the outside. That is what that server is supposed to do. The difference with open relay is that it accepts only email addressed to the domains that SMTP server knows about, everything else is rejected. Server with open relay will attempt to deliver all emails, even if they are addressed to some unknown domains.

if you had the open relay all your outgoing email would still go out thru your smart host.

Let me make sure I understand this correctly, It IS normal to see random connections under "Current Sessions" of my SMTP virtual server?

Is it possible that I am being blocked by my ISP due to a high volume of NDR messages?

If you fixed the open relay, call them and ask why do they blacklisted you. If that is for open relay, tell them that you fixed it and ask them to test and remove you from the list.

Hi All,
I just want to clarify how exactly Symantec Mail Security is installed/configured from ANTI-SPAM in your environment. This product like all others available is "prevention" mechanism/tool which is design to combat against SPAM.

With All respect to all posts/conversation, but nothing is discussed about environment (client) prevention tool(s).
There is a tool (Symantec Mail Security) which needs to be configured in order to work correctly.
Microsoft Exchange itself is open relay for internal network, where everyone can relay SMTP traffic.
We dont need to ask for SMTP service there and Default routing known as '*'.

What is the product of Symantec that you use? Symantec Mail Security for Exchange or Symantec Mail Security for SMTP Gateways? Mail Security for Gateways is design as standalone SMTP server. Any 'special installations' are not feasible if you install this product on your Microsoft Exchange server.

Symantec Mail Security for SMTP Gateways (Part of your Symantec Antivirus Enterprise Editition) is the inbound/outbound Mail Bridgehead for you company, installed on machine different to your Exchange server. This Server is corresponding with your MX (DNS record). There is forwarding mechanism, where you specify trusted Servers for SMTP correspondence.. Refer to "Relays".

If your Product is Mail Security for Exchange and is installed where your Exchange server is....setting for ANTI-SPAM needs to be revisited and policies needs maintenance.

On Both Symantec Products is available reporting where you can verify correspondence (inbound/outbound).On your Exchange server you can also monitor mail correspondence.
Do you have Symantec MAIL corespondence report. Therre is a lot of information.

Please clarify your deployment. Symantec Mail Security can do the job for you.
What is your Symantec Product and where is installed?

Everything is matter of policy configuration as initial step, from where you can troubleshoot possible infection in internal environment or open relay. Symantec Mail security can dropped messages where DNS resolution fails and non-existent recipients are described.

batman_k:

We are using Symantec Mail Security for Exchange, and it is installed on our Exchange Server. I could definitely use some help in the configuration. I did not install or configure the product, so I am very limited in knowledge with the Symantec product.The documentation on their website has not been very helpful.

Any tips or advice on configuration or documentation help?

Thx.

Hi,

1.Instalation CD consist Administration Guide, Deployment Guide and User Guide.
If they are missing follow the link:
ftp://ftp.symantec.com/public/english_us_canada/products/sym_mail_security/5.0_mse/manuals/
or ftp://ftp.symantec.com/public/english_us_canada/products/sym_mail_security/  check for you version, 4.6 can do the job also.
2. License file...very important. If you dont have this file *.slf (symantec license file)...protection is not in place. If you subscription includes 'Premium Anti-Spam"...excelent. Is subscription based and verifies inbound and outbound mails against live database.Premium Anti-Spam is separate *.slf file.
3.Policy on SMSE....Default settings are identifying SPAM. Change only rule to "delete". If you need guidance (where is it) on that...pop back to forum.
4. Exchange server service is binded to SMSE. Your mails must not be send via DNS resolution.
Create "smarthost" on your Exchange with the IP your ISP SMTP Server and thats all there.Your
ISP host MX reccord for you. Inbound and outbound messages are recived by ISP and relayed.
5.SMSE can specify inbound and outboun reciepents. Accept incomming messages for your domain only
Outbound any.You must specify your domain there for incoming. Any others will be discard.
If you accept for all and deliver for all.....problem...open relay. You must accept for only for yourcompany.com
6.SMSE has transaction log. Any information there is handy for inbound and outbound messages.

At this stage for me your issue is license file. Maybe policy configuration.
Post to forum where you are in configuration.

For future reference: consider separate server for Mail Security for SMTP gateway deployment.
This software is included in your Symantec Enterprise Security Package. You can expose only this Server as bridgehead for inbound and outbound messages. Platform is very stable.
Symantec aquired in a past BrightMail engine which is "carrier class" solution. Very stable and durable.
Premum antispam subscription is "Dynamic Anti-Spam Database". Having this part in mail service is definit "value for money".

If you have any settings done there so far, please post to forum what have you configure there.
I can post to forum instalation from a-z. Tell me where exactly you are.

Regards,

Hi All,
Sembee...respect to your rank.
Where we can read a bit more about standalone Excahnge 2003 on Internet?

3drc,
if your ISP hosts your MX reccord, use smarthost for incoming mail and accept mails only for your domain. Article of Sembee on http://www.amset.info/exchange/spam-cleanup.asp is very handy.