Recently one of my clients email servers was blacklisted by a few databases, and after looking into this issue,i found that their outgoing email queues were larger than normal. Also, the destination domains are mostly random, non existant domains. I believe something internal is sending out mass spam email, however, i have no way to pinpoint where this traffic is coming from. Any ideas? So far i have done the following:
enabled logging on the smtp virtual server
took a packet capture using wireshark
everything shows the originator as the mail server, which i would expect....but i want to be able to see where the requests originate.