I would fire up sniffer (Wire Shark etc) or look at firewall logs to see who is generating the most traffic or eating up your bandwidth and start taking these clients off line, and deal with them. You might be dealing with workstation or kind has E-mail worm blasting it out?
Also it is good to ask yourself why your server AV/ spam engine did not catch these and alerted you ( assuming you have decent AV/Spam protection as first defense of line and not letting postini do all the work for inbound and outbound SMTP traffic. ( If not you can ignore this part) Good luck Ocd On 6/16/10, Chris <[email protected]> wrote: > John, > > Do you have a firewall in place that you can log all smtp traffic? There is > a chance that the spam email *might* not be going through the exchange > server. > > Chris > > > On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle < > [email protected]> wrote: > >> I’m ashamed to say that for the first time ever, spam has been generated >> from my network. All of our outbound mail is routed through Google / >> Postini, and they cut us off last night after detecting it. I’m mortified. >> >> >> >> What I’m needing help with is tracking down the source. I can see who the >> message claims to be from, and Postini tech support thinks her account >> really is the source (I assumed the “From:” address had been forged). But >> even if her account really is the source, I need to know what machine >> generated the traffic so that I can see what’s running on it. >> >> >> >> To be honest, I’m not sure how to do that. My weakness with Exchange is >> showing. I thought maybe the message tracking tool, which I’ve used to >> find >> some of the messages, but I can’t see the originating IP address in there. >> Some of the entries say “2002:96b0:25ac::96b0:25ac” for the ClientIP. I >> don’t know what that is. >> >> >> >> Any pointers? >> >> >> >> >> >> John Hornbuckle >> >> MIS Department >> >> Taylor County School District >> >> www.taylor.k12.fl.us >> >> >> >> >> >> NOTICE: Florida has a broad public records law. Most written >> communications to or from this entity are public records that will be >> disclosed to the public and the media upon request. E-mail communications >> may be subject to public disclosure. >> >> > -- Sent from my mobile device Oz Casey Dedeal Systems Engineer MVP (exchange) MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | Security+|Project+| Server+| http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com (Blog) http://telnet25.spaces.live.com (Blog) [email protected] https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard
