Where is the spam coming from?

Hi.
Have a standalone SBS 2003 server running exchange, and sending spam.
There are 4 clients.
Every few hours a burst of spam hits the smtp connector.
I have confirmed via telnet that the server in question is not open relay.
I have attempted to determine whether an authenticated user is relaying by setting smtp logging to maximum, but cant see any new server logins or authentications over 24 hours.
I have set a fake smtp queue to gather the outgoing spam, but cannot determine from whence it came.
AV scans (bitdefender) on server only found a few deleted trojans in the recycle bin of a secondary data drive of the server. Bitdefender is set to delete infected mail attachments.
These have now been deleted again, however the smtp queue has new items.

So, no logged user authentication, no open relay. From whence does it come?
 
paddygreenhoodAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

connectexCommented:
Is the guest account enabled?
0
paddygreenhoodAuthor Commented:
No, it is disabled.
0
connectexCommented:
I would force all users to change their passwords. Sounds like someones password is weak and has been compromised.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lucid8Commented:


The other possibility is that you have an infected workstation (s) If you want to see if the problem is coming from an internal Device/Machine you can use the following

MS USER MONITOR: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en and here is a link on how to use it http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html

And if you want to get into the guts of the matter you can use this  http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx
0
paddygreenhoodAuthor Commented:
Yes, all workstations were clean so a change of passwords for all users and administrator stopped the problem cold.
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.