Spam Relay Issue - ORF Forums

Spam Relay Issue RSS Back to forum


I have an Exchange 2007 box set up, and I am noticing about 10,000-20,000 e-mails in the log per day, all from one person/IP and all to about 100 addresses (none of which are in my organization). I suspect a relay, but I am unsure how to find out how they are authenticating the send the message. The support page at said you can discover the culprit, but I have had no such success. All the log says is "Whitelist" for class and "Authenticated session, type: organization" for message.

by Matthew Melashenko 8 years ago

@Matthew Melashenko:
Unfortunately, on Exchange 2007, you cannot use ORF (and its logs) to identify the compromised user account the spammer uses to relay emails thru your server, because in recent Exchange versions (2007 and above) it is the session which is authenticated and not the user. In other words, Exchange does not tell ORF which user account is used, only that sender authenticated successfully, thus ORF cannot log the exact account name. The solution mentioned in the article works on Exchange 2000 and 2003 only.

I recommend using the Event Viewer to monitor frequent logon activites to identify the compromised account.

by Krisztian Fekete (Vamsoft) 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2