Spam Relay Issue RSS


I have an Exchange 2007 box set up, and I am noticing about 10,000-20,000 e-mails in the log per day, all from one person/IP and all to about 100 addresses (none of which are in my organization). I suspect a relay, but I am unsure how to find out how they are authenticating the send the message. The support page at said you can discover the culprit, but I have had no such success. All the log says is "Whitelist" for class and "Authenticated session, type: organization" for message.

by Matthew Melashenko 8 years ago

@Matthew Melashenko:
Unfortunately, on Exchange 2007, you cannot use ORF (and its logs) to identify the compromised user account the spammer uses to relay emails thru your server, because in recent Exchange versions (2007 and above) it is the session which is authenticated and not the user. In other words, Exchange does not tell ORF which user account is used, only that sender authenticated successfully, thus ORF cannot log the exact account name. The solution mentioned in the article works on Exchange 2000 and 2003 only.

I recommend using the Event Viewer to monitor frequent logon activites to identify the compromised account.

by Krisztian Fekete (Vamsoft) 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed