I'll assume for the moment that you're NATing everything through a single IP address, but will make some suggestions if that isn't the case.
A properly deployed NTOP is your friend in this case. It can be set (using the BPF filters) to monitor only port 25, and only outbound if you want, and you'll see who's talking. Of course, if it *is* being routed through your Exchange box, then that's what'll show, in which case you'll need to examine your SMTP logs on that machine. Two thing I would recommend: 1) Turn off port 25 outbound, except for your Exchange server (and perhaps your server monitoring software, if it sends SMTP messages to your cell phone). This might stop the problem outright. 2) Turn off SMTP relay through your Exchange server, period. Let it accept SMTP messages *only* from trusted internal hosts, such as server-side software that send notifications to your or your sysadmin team. All others only get MAPI. This cuts down on the crap that gets relayed outbound, though it won't stop something that automates Outlook. Kurt On Jan 21, 2008 7:03 AM, Clayton Doige <[EMAIL PROTECTED]> wrote: > > Dear all, I have a server apparently spewing out a hoarde of SMTP messages, > at least according to the Message Tracking system, which indicates the > emails originate from a specific email address. > > This is Exchange 2003 by the way: > > I have checked and the system is not a relay, and only authenticated users > are allowed to send. I blocked access for this particular user account to > the smtp connector, and changed the password on the user account. > > When looking in Message Tracking subsequent to making the changes above, the > messages are noted, and the last action for each message is Submitted to > Categorizer. > > According to the ISP mails are still coming out, and there is no record of > an SMTP server on the packets. > > netstat outputs also seem like everything is normal, although the output is > extensive. > > The box has been swept by it's local Trend SMEX, and Office Scan, plus two > other online scanners. WireShark is not telling me anything exciting, and > none of the processes running in task manager seem out of the norm. > > If this was another authenticated machine on the LAN I would have expected > the password change to have put an end to that. > > Has anyone seen similar, and if so could you kindly point this already bald > person in the right direction? > > Many thanks in advance > > -- > Regards, > > Clayton > [EMAIL PROTECTED] > http://alsipius.com > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
