Internal Spammer or External Spammer

How do i find out if Spam is coming from Internal or External Source.
My queues are filled with Spam and i have no way of finding out where it is coming from.
I want to stop it somehow too ... Can i setup a rule to drop it or something ?
Who is Participating?
Solution 1

Here is a simple command that you can run from the Exchange Management Shell to close down an OPEN RELAY.

Get-ReceiveConnector “YourReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Replace “YourReceiveConnector” with the name of your Receive Connector and then run the command.

To test if you are an open relay, you can visit

Solution 2:

1. open exchange 2007 console and go to "Organization Configuration" and then to "Hub Transport"
2. Select "Transport Rules" tab
3. From the "Action Pane" on the right select "New Transport Rule"
4. Type any name and any comment and press next
5. From the conditions window select "From users inside or outside my organization" and "Send to users inside or outside my organization" and from the details select the "Inside" links and switch both to "outside" then press next
6. From the "Actions" window select the last action "Silently drop the message" and press next
    If you have any exceptions you can configure it in the "Exceptions" window ,If not just press next
    again  Press "New" then "finish"

This will prevent any email sent from any one outside your organization and sent to anyone outside too from passing through your server and will stop relay

For more information see this :

and especially this note:
Submit Messages to any Recipient
This permission allows the session to relay messages through this connector. If this permission isn't granted, only messages addressed to recipients in accepted domains are accepted by this connector.
ItomicltdAuthor Commented:
Exchange 2007 on a Windows 2003 server.
Shabarinath RamadasanInfrastructure ArchitectCommented:
See to which address those mails are getting delivered. Open that mailbox and see the message header of one spam. See from where its generating and take the corrective actions.

Good luck
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ItomicltdAuthor Commented:
Queues are going out... addresses are .HINET or Yahoo, See header below... No Internal IP listed....

Identity: mail07\83\626
Subject: Undeliverable: ¡¹¡¹§Ú¦³¤@¥÷­Ý¾ªº¤u§@¤¶²Ð±z¡¹¡¹related to
Internet Message ID: <31cce163-e08d-4032-9d61-d00bcb67672a>
From Address: <>
Status: Ready
Size (KB): 36
Message Source Name: DSN
Source IP:
SCL: -1
Date Received: 10/19/2011 12:32:31 PM
Expiration Time: 10/21/2011 12:32:31 PM
Last Error:
Queue ID: mail07\83
How do i find out if Spam is coming from Internal or External Source.
Put your server into and make sure it is not an open relay.

If it comes back clean, then the spam is originating from inside your network and/or allowed relay domains.
ItomicltdAuthor Commented:
This is what came back. Now how do i close the relay (as i thought i had !).

 Spam Test
ItomicltdAuthor Commented:

This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation (that's the only thing that is common, the mails are send from external address to external address)....there surely has to be someway to stop the mail flowing out first and foremost without effecting mail from domain addresses. I can find the problem after but this is vital i at least drop these mails before they get outside to interntet....


This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation
Yes, and you just answered the last question we had last night, and it did show that you have an open relay.  It's not like nobody has been trying to point you in the right direction.

Be patient.
Close the open relay as lucid8 instructed and we'll go from there.
ItomicltdAuthor Commented:
I got it sorted. I needed to disable the internal relay and Allow anonymous users on default connector.
I have had this issue a number of days and logged more than one question on various forums and no-one suggested this solution...I posted the "this has been going on for a number of days......" post out of frustration and posted to any forum i asked the question apologies if i seemed impatient as this was only a recent thread i started....If you can imagine i had 3 days of mail flowing out and no-one suggested a rule or anything to stop it, i looked up forums to stop open relays and did all that was required.... Checked logs, put in transport rules...nada !!! So i called MS and boom...Solved! I'm sorry if i seemed petulant...
Glad you got it sorted and yeah I imagine it wasn't a fun time for you eh?
ItomicltdAuthor Commented:
Ha Ha.... not fun at all...Thanks for your help all the same...
Thanks for the points much appreciated
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.