Our Exchange 2003 / Exchange 2010 coexistence environment is sending out spam (10,000+ email attempts a day).
Last week we found out that our IP was listed on almost all of the spam lists. I saw that our Exchange 2003 message queue was bloated with 1,000's of emails. I flushed the queue, locked down the firewall so that only MXLogic (our spam filter) IP's can send SMTP traffic to our Exchange server. I also locked other firewall settings down as well. Everything went back to normal for a few days.
The same thing happened again yesterday on the Exchange 2010 server: 1,000's of emails in the queue. Our IP (for the 2010 server this time) got blacklisted.
Tasks I have done:
-Run SEP and Malware Bytes on the exchange server. Came up clean.
-Lock down SMTP traffic to only receive from MXLogic.
-Cleared out message queue
-VERIFIED that we are not an open relay on the internet
At this point, I'm not sure what to do. It seems like it keeps popping up and then going away. Have we somehow been hacked? Is an authenticated user on the domain unknowingly sending spam? Where should I start?