I have a situation where an internal Exchange 2003 server keeps getting compromised. I'm pretty sure that someone's account is getting compromised because I went through an excercise where I changed everyone's password and the issue disappeared for about 2 months.
It's now back, but the large quantities of spam that end up in the outbound queue only appear about once a week. If I remove them all, everything's fine for another week or so.
There are a number of remote non-employees who connect using VPN, some of them on an occasional basis. I suspect that one of them may have a virus that's captured their credentials and spits out the spam whenever they connect to the server.
If I restrict all outside users to Outlook Web Access only, will this in effect remove that threat possibility since there's no direct network connection?
Even better, if there's a better way to figure out the source of this stuff, I'd appreciate knowing that too. I remember one time turning on SMTP logging in some way that made it very clear who the culprit was, but I can't seem to figure that out again.
Any help would be appreciated.