Where is the spam coming from?

Have a standalone SBS 2003 server running exchange, and sending spam.
There are 4 clients.
Every few hours a burst of spam hits the smtp connector.
I have confirmed via telnet that the server in question is not open relay.
I have attempted to determine whether an authenticated user is relaying by setting smtp logging to maximum, but cant see any new server logins or authentications over 24 hours.
I have set a fake smtp queue to gather the outgoing spam, but cannot determine from whence it came.
AV scans (bitdefender) on server only found a few deleted trojans in the recycle bin of a secondary data drive of the server. Bitdefender is set to delete infected mail attachments.
These have now been deleted again, however the smtp queue has new items.

So, no logged user authentication, no open relay. From whence does it come?
Who is Participating?
I would force all users to change their passwords. Sounds like someones password is weak and has been compromised.
Is the guest account enabled?
paddygreenhoodAuthor Commented:
No, it is disabled.

The other possibility is that you have an infected workstation (s) If you want to see if the problem is coming from an internal Device/Machine you can use the following

MS USER MONITOR: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en and here is a link on how to use it http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html

And if you want to get into the guts of the matter you can use this  http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx
paddygreenhoodAuthor Commented:
Yes, all workstations were clean so a change of passwords for all users and administrator stopped the problem cold.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.