If the message was originated using MAPI you will not be looking at a relaying issue. Make sure anti-virus is up to date on the PCs where those accounts are logged on (or have logged on since this issue started). If necessary, re-build the PCs completely.
Have you looked in IIS logs, too? From: bounce-8600520-8066...@lyris.sunbelt-software.com [mailto:bounce-8600520-8066...@lyris.sunbelt-software.com] On Behalf Of Glen Johnson Sent: 16 July 2009 13:53 To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae82z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.