Somehow spam is leaving my network. I have verified that I am NOT an open relay. I have verified that I have recipient filtering setup correctly, so as not to get NDR spam.
Originally this problem started when our emails were getting blocked. I did a black list check and found that I was on 4 black lists. So, I knew I had my server configured correctly, so I started doing virus scans on all my workstations. I found several workstations that had viruses. I since have cleaned that up, or at least I think I have, but there is still spam leaving from my network. My queue is filled with SMTP connectors, all of them trying to send from email@example.com.
From 3/25 until now, my application log is filled with MSExchange Transport errors, Event ID 3018:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;firstname.lastname@example.org (Message-ID <MSTSERVERQIhNADKnFh00002ae2@mydomain.com>).
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
And Event ID 3030:
A non-delivery report with a status code of 5.1.8 was generated for recipient rfc822;email@example.com (Message-ID <MSTSERVERxjoay0q0NT00002af6@mydomain.com>).
I turned on logging a few minutes ago and I already have hundreds of MSExchange Transport warnings, Event ID 7002:
This is an SMTP protocol warning log for virtual server ID 1, connection #1409. The remote host "18.104.22.168", responded to the SMTP command "rcpt" with "421 invalid sender domain 'secretshopper.net' (misconfigured dns?) ". The full command sent was "RCPT TO:<firstname.lastname@example.org> ". This may cause the connection to fail.
help? What is this? It must be a virus on one of my workstations that I am missing? How do I find out where these spam messages are originating from on my network?
Thanks for the help.