We have Exchange 2010 as part of Small Business Server 2011. Every night there is a period of around 12 hours where spam is being relayed through the server, but it is not configured as an open relay so the sender must be authenticating using an AD account. The Message Tracking function of Exchange shows details of the messages (to, from, subject, sender IP, etc.) but not which user account authenticated to send it.
How can we determine which user account is affected, so we can disable it and/or change the password?