Determine who is sending the most spam in exchange 2007

I have a client who has SBS 2008 server on-site running exchange server 2007

It came to my attention recently that all their external email was being blocked. The undeliverables show that their IP address was blacklisted. This client has recently been added to SPAMHAUS blacklist.

We had a situation where we were using an outside spam filtering server for inbound email filtering, but had to stop that service because one of their customers had an in-housel SMTP server onsite - that automates delivery of email that was not received by my client - that kept getting their email blocked. Therefore, the client was not receiving any email coming from one of your most important customers

So, in the interim, I am rerouting all the outbound email through another mail server until I get the client IP address off the blacklist

I need to determine what is the best way to find what email address is receiving and sending the Most spam. The plan is to delete email addresses and create new email addresses for those users

Also, what is the best process I need to take to get this particular clients IP address removed from the blacklist
Andreas GieryicComputer Networking, OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeIT ManagerCommented:
Ran into this problem a few years ago when I worked for a small construction firm.  What I did was enabled logging in our router/firewall, and just watched for massive amounts of mail traffic and was able to narrow it down to a single PC which turned out to be so deeply infested with malware that I had to wipe it completely.  If you go to the SpamHaus website and type in the IP it will give you directions on how to remove it from the lists; but I'd track down the issue before removing them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andreas GieryicComputer Networking, OwnerAuthor Commented:
Was your situation involving an exchange server or pop email ? I know if its pop email it's easier to trace. Not sure how to determine if all email is going out thru an exchange server versus the workstation.
MikeIT ManagerCommented:
We ran Exchange 2010 SP1.
Andreas GieryicComputer Networking, OwnerAuthor Commented:
Sorry for the late response. We did track down the user's PC . However not from the router but at the spam server that we forwarded out bound email to.

Shadowless127, your suggestion was a good suggestion and I will keep this in mind in the future.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.