Question : How is spam being relayed through my server?

Greetings.

Our mail server is being repeatedly blacklisted, and the spam that's getting us on the blacklist has been determined to come from our mail server (as opposed to some domain client). The server has been verified to be clean, so it seems to me that either a) the spammer has obtained legitimate account credentials, or b) there's an infected client computer that is relaying through the mail server.

Questions:
1. Does my analysis of the situation seem correct?
2. Is there some way to log all mail going through the SMTP server so I can track which account is being used, or which client computer is infected?

Some information:
- Exchange Server 2003 Enterprise Edition
- Clients are either local or authenticate with VPN
- Some Exchange users use RPC over HTTPS

Thanks in advance.

Joe

Answer : How is spam being relayed through my server?

If you are using RRAS (which I guess you must be), you can put an inbound filter for port 25 on your internet interface. You should be able to block port 25 for your LAN, as the server is actually on the WAN and would be using that interface for it's SMTP communication. Certainly on checking an SBS server I run this is what is happening (same config, multi-homed).

You would create the filter to prevent all traffic whose destination is port 25 - note that the source port could be anything. Also limit the filter to your local subnet as the source (but destination IPs blank... could be anything).

Random Solutions

Netware 6.5, DHCP, XP SP2 and Cisco 4.6.03.0021 client

CICSO 2611 and CISCO 2950 full-duplex/half-duplex

object browser in Eclipse

ISA 2000 on a Windows 2003 server

One user's phone doesn't notify "new messages"

Shared files on mapped drive keep disappearing.

ovmakfil.exe error

IIS 6.0 certificate wizard is not installing my certificate

Best way to set up an all-linux web server farm