Spam Relay Issue RSS Back to forum
2
@Matthew Melashenko:
Unfortunately, on Exchange 2007, you cannot use ORF (and its logs) to identify the compromised user account the spammer uses to relay emails thru your server, because in recent Exchange versions (2007 and above) it is the session which is authenticated and not the user. In other words, Exchange does not tell ORF which user account is used, only that sender authenticated successfully, thus ORF cannot log the exact account name. The solution mentioned in the article works on Exchange 2000 and 2003 only.
I recommend using the Event Viewer to monitor frequent logon activites to identify the compromised account.
I have an Exchange 2007 box set up, and I am noticing about 10,000-20,000 e-mails in the log per day, all from one person/IP and all to about 100 addresses (none of which are in my organization). I suspect a relay, but I am unsure how to find out how they are authenticating the send the message. The support page at http://www.vamsoft.com/authattack.asp said you can discover the culprit, but I have had no such success. All the log says is "Whitelist" for class and "Authenticated session, type: organization" for message.