On Exchange 2003 SMTP could be considered a separate item - it is part of IIS rather than part of Exchange. Journaling takes place at the categorizer if I recall correctly, the same place as AV scanning. Therefore as the transfer of the messages hasn't actually touched Exchange it wouldn't get picked up by the journal - or by any Exchange integrated AV/Anti-spam. The messages are still being "bounced" off the server, rather than passed through Exchange for delivery, because SMTP knows they have external recipients and the server they were delivered to has accepted them.
For the same reason, I wouldn't expect to see those spam messages in Message Tracking either. This is different to Exchange 2007 and higher, where Exchange owns the entire path, and all messages that pass through Hub Transport can be sent to the journal address. Simon. -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: 30 March 2011 03:22 To: MS-Exchange Admin Issues Subject: Re: Thoughts on a spamming incident? A question.... On Tue, Mar 29, 2011 at 16:25, Simon Butler <si...@sembee.co.uk> wrote: > An authenticated relay attack wouldn't appear in the journal because the > messages are being "bounced" off SMTP, they aren't actually being delivered > to the Exchange server. I'm not so sure about this part, because the ISP sent me the headers from the offending email, shown below, and they clearly show that the message transited from the AU Exchange server to the US Exchange server, then out of our org. Wouldn't this transaction be journaled? If not journaled, why? Again - xch.example.com is our US server, and auxch.example.com is our AU server. Kurt Return-Path: <h...@paparuda.com> Received: from mtain-me01.r1000.mx.aol.com (mtain-me01.r1000.mx.aol.com [172.29.96.137]) by air-da05.mail.aol.com (v129.4) with ESMTP id MAILINDA053-863d4d9232ca11f; Tue, 29 Mar 2011 15:28:10 -0400 Received: from xch.example.com (xch.example.com.com [204.2.x.x]) by mtain-me01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 8C11E3800011D; Tue, 29 Mar 2011 15:28:03 -0400 (EDT) Received: from auxch.example.com ([192.168.61.33]) by xch.example.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 Mar 2011 12:27:58 -0700 Received: from User ([192.168.61.1]) by auxch.example.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 30 Mar 2011 05:24:51 +1000 Reply-To: <h...@paparuda.com> From: "craigslist.org"<h...@paparuda.com> Subject: Your account needs to be confirmed Date: Tue, 29 Mar 2011 15:23:34 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <auxchaoeiigxix4a2d00000...@auxch.example.com> X-OriginalArrivalTime: 29 Mar 2011 19:24:51.0393 (UTC) FILETIME=[F9A93B10:01CBEE46] x-aol-global-disposition: G x-aol-sid: 3039ac1d60894d9232c37c28 X-AOL-IP: 204.2.150.3 X-AOL-SPF: domain : paparuda.com SPF : none To: --- <BR> To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <BR> or send an email to listmana...@lyris.sunbeltsoftware.com <BR> with the body: unsubscribe exchangelist --- <BR> To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ <BR> or send an email to listmana...@lyris.sunbeltsoftware.com <BR> with the body: unsubscribe exchangelist