I have been running an SBS 2003 server for about a year now for my small company. Yesterday, someone began relaying spam through the server. Hundreds of thousands of messages were being sent. I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.
I am NOT configured as an open relay, according to CheckOR.com
I followed the steps in this article: http://technet.microsoft.com/en-us/kb/kb00324958.aspx
I never saw an Event ID 1708 authentication event show up in my Event Viewer.
Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.
From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.
There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning. I am not sure how the spammer was authenticating to my server?
Thank you for your help.