Exchange 2003 hacked? Showing queue build up with external IP, tested for relay and it is not allowed - Looks like someone is authenticating to send spam.

I have a server that is constently filling up it's Email Queue - Exchange 2003 (SBS Server).  The Logs are showing this to be from an external IP, and yet we have tested for Relay and it is not a relay server but behaving like one.  
The spams are coming from one domain right now, and we can not see a way to block this.
DigitalTeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KillerbeCommented:
Block the External IP on your virtual SMTP server. This will prevent the server from filling up your Ques.
0
Jon BrelieSystem ArchitectCommented:
This will also help you see if one of your accounts has been compromised and how to clean up after you fix it: http://www.amset.info/exchange/spam-cleanup.asp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
You will probably find that you are an authenticated relay, meaning you have a user account with a weak password that has been compromised and now your server is being directly abused by sending mail using the breached account to authenticate.

Please read through my article for details of what to do to solve this problem and make sure you don't have any ip's listed in your allowed relays on your smtp virtual server unless you know you need them (definitely get rid of 127.0.0.1 if it exists):

http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
Alan HardistyCo-OwnerCommented:
Blocking the ip that is sending is only a short-term solution as you will find other ip addresses abusing your server before long, so identifying and rectifying the problem is the best course of action.
0
DigitalTeamAuthor Commented:
Great to have a lead to find the issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.