Exchange SBS 2003 : SMTP Queue Filling Up

I have a client with an  Exchange 2003 SBS running.  Has been in production over 3 years.  In the last week, it appears we have been compromised.  Everyday, when I look at the Queue under Exchange System Manager, there are thousands of messages loaded up going to places in Italy.

We have no open relays that I can see  The only ports open on the firewall are 80, 443, 25, 3389.  My hunch is that a user account  has been compromised and it is his account that is being used.  How can I tell what account is being used to send these messages.

If anyone has additional insight or additional things to check it would be appreciated.

Additional System Info
SBS 2003 R2
Symantec Endpoint  11d
Symantec Mail Security For Exchange 6.0
Broadband connection

Clear the Queue as per MS KB324958 (Have done this multiple times to no avail).

Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Please have a read of my article for this very problem:'t-send.html
Make sure that you don't have127.0.0.1 as an allowed relay in your default SMTP Virtual Server Relay settings.
If you need help - please shout.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
My article advises you how to detect which account is being abused.
in SBS, there are reports that show email usage, disk usage, etc.
If you run one of those reports, you will see the user that has been compromised (hopefully).
If the code for the compromise is using their own SMTP server, then it will not show up in this list.
When I had a situation like this, I put wireshark on the system and watched who was connecting to the server via port 25. This pointed me to the user, and then all I needed to do was to change the password.
You could just have all your users change their passwords, which should also fix the problem!
tech911Author Commented:
Thanks for the great advice.  The article saved me an untold number of hours wading through the web.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.