My exchange 2003 server was sending emails to accounts in UK. it never got blacklisted.
The email account that was sending the emails is firstname.lastname@example.org.
I have a ninja spam filter and i had to enable the internal exchange 2003 spam filter to disable this email address. this email address does not exist in the exchange organization.
My exchange server does not relay any traffic from outisde and it hosts only a single domain.
what shocked is the the spyware was using the exchange to send the emails and not its own internal engine. i block all smpt traffic that does not originate on the exchange server.
Is there a way to block all email addresses from sending emails unless they are explicitly in active directory? How do i track the user account that send that email - most likely spyware infected machine? Is exchange 2007 improving this ?