We use a PowerShell script to monitor the tracking logs and are alerted if a user sends a specified number of messages within a specified period of time. Not a perfect solution. I know others do something similar, but in addition to being alerted, disable the user's ability to send messages.
Nuno Mota just published a series of articles on preventing auto-reply storms over at MSExchange.org (link is below). They include a script and the use of a transport rule to do this. With some tweaking, these could probably also be applied to cut off email coming from a compromised account. http://www.msexchange.org/articles_tutorials/exchange-server-2010/monitoring-operations/preventing-autoreply-storms-part1.html From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: Friday, February 24, 2012 11:20 AM To: MS-Exchange Admin Issues Subject: internal spam I'm wondering how people are dealing with compromised accounts in Exchange sending large volumes of email...essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I'm wondering if there is some software or method that might have some more smarts. We've had numerous incidents but so far....not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I've looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist