I have an Exchange 2003 (SBS 2003) server with >280K emails waiting to be sent. Most of them are spam, I am clearing the queue out but I would really like to know how they got in there (not an open relay). Is there any report/log that will show me the User/IP address that put these emails in the system. I have started Av scan's & found nothing (4 laptops still to check).

Looks like BackScatter spam. Can you check the senders and recipient email address. Also check the SMTP Virtual server relay list. Also check if the same emails are returning back to the queue. If yes, you need to use a tool called MFCMAPI and then delete those emails from the temp folders after stopping the SMTP service. Raj

I've wrote a post on SMTP metrics. You could take a look at some of the free tools to see which users are submitting the mail. http://almostdailytech.com/2009/05/25/exchange-messaging-statistics/Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:ES, SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com

Thanks for your responses I have cleared the queue of spam & none is going back into the queue so far.I have had a look at the logs & Im confused, it seems to be saying that our server is an open relay but Ive tested it 10 times & its not, it wont relay for me. I have added an example form the messages Tracking logfile below, the formatting wont be great & I removed references to our server but if you guys could take a look at it Id appreciate it. # Message Tracking Log File # Exchange System Attendant Version 6.5.7638.1 # Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address 2009-10-20 0:0:0 GMT 217.35.85.106 User 208-84-64-202.proofpoint.com *Our Server Name* *Our Server IP* fantasy@adnc.com 1031 *Message ID* 3 0 2557 50 2009-10-19 14:32:46 GMT 0 Version: 6.0.3790.3959 - Mystery Shop For Us(Earn Weekly) careers@premiumshopper.com - What do you think?

Hi,First please check whether the Exchange Server is an open SMTP relay, whether an authenticated user is relayingPlease follow the artilce below to test it.How to block open SMTP relaying and clean up Exchange Server SMTP queues http://technet.microsoft.com/en-us/kb/kb00324958.aspxRegards,Xiu

Thanks for the link Xiu Zhang,I had seen that page & check for open relay (not open) but I hadn't continued down teh page to the authenticated user section.I had arrived at that as a conclusion & am asking all users to change their passwords, I have also enabled the logging for next time.