Over the holiday break, our email server was flagged on 3 RBL sites. I am in the process of having them removed, but need to figure out what caused the issue. I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.
I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From. I checked the file size of the log files, but they only vary by a few 100KB.
Does anyone have any suggestions? We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs. Oh, this is running on Windows SBS 2011 if that matters.