Exchange 2003 hacked? Showing queue build up with external IP, tested for relay and it is not allowed - Looks like someone is authenticating to send spam.

I have a server that is constently filling up it's Email Queue - Exchange 2003 (SBS Server).  The Logs are showing this to be from an external IP, and yet we have tested for Relay and it is not a relay server but behaving like one.  
The spams are coming from one domain right now, and we can not see a way to block this.
Who is Participating?
Jon BrelieSystem ArchitectCommented:
This will also help you see if one of your accounts has been compromised and how to clean up after you fix it:
Block the External IP on your virtual SMTP server. This will prevent the server from filling up your Ques.
Alan HardistyCo-OwnerCommented:
You will probably find that you are an authenticated relay, meaning you have a user account with a weak password that has been compromised and now your server is being directly abused by sending mail using the breached account to authenticate.

Please read through my article for details of what to do to solve this problem and make sure you don't have any ip's listed in your allowed relays on your smtp virtual server unless you know you need them (definitely get rid of if it exists):'t-send.html
Alan HardistyCo-OwnerCommented:
Blocking the ip that is sending is only a short-term solution as you will find other ip addresses abusing your server before long, so identifying and rectifying the problem is the best course of action.
DigitalTeamAuthor Commented:
Great to have a lead to find the issue
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.