I have a client with an Exchange 2003 SBS running. Has been in production over 3 years. In the last week, it appears we have been compromised. Everyday, when I look at the Queue under Exchange System Manager, there are thousands of messages loaded up going to places in Italy.
We have no open relays that I can see The only ports open on the firewall are 80, 443, 25, 3389. My hunch is that a user account has been compromised and it is his account that is being used. How can I tell what account is being used to send these messages.
If anyone has additional insight or additional things to check it would be appreciated.
Additional System Info
SBS 2003 R2
Symantec Endpoint 11d
Symantec Mail Security For Exchange 6.0
ACTIONS ALREADY TAKEN
Clear the Queue as per MS KB324958 (Have done this multiple times to no avail).
Thanks in advance.