Hello, Our ISP informed us that we have been blacklisted because someone is spamming from our public mail IP. I have verified we are not configured as an open relay and the next thing I want to do is find out if any internal users (malicious or infected possibly) are spamming using our Exchange server. I have enabled Verbose logging on the receive and send connectors and looked through the logs but have not been able to track down spammers. Is there a better way I can track down potential spammers inside my orginization? The message queues on the server are empty as well.

Hi, An easy option is also to check the queue in the toolbox in EMC. Your should see a massive amount of mails going though and you can see who the sender is as well. /MartinExchange is a passion not just a collaboration software.

Thanks Martin, the queue is empty.

Ok, that seems a bit weird if you are having issues with spamming through your server. Did you try the message tracking? You could do a search over a specific time (1 hour, 1 day depending on the amount of mails your sent) and the check if there is any perticular person that are sending a lot of mails. /MartinExchange is a passion not just a collaboration software.

Hi Guitar, Some suggestion for you: 1 You can enable the Protocol Logging to Verbose on Receive and Send connectors and go through those logs located at: C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive & SmtpSend 2 Then you can download the Process Tracking Log tool from the following Web site: http://blogs.technet.com/b/exchange/archive/2008/02/07/3404839.aspx Install it and then check various commands to find - provides the top senders e-mail addresses and the message count, etc. Install on HUB Server and go through most of the options available. 3 Then discuss the option to ExMon - tool can be used to monitor client connectivity to Exchange server. This tool provides client IP, client version etc information to you. Best Regards!

I had an issue similar to this. The problem was the spam wasn't going out via Exchange. A client workstation was infected and establishing SMTP connections to Russian servers. There were literally hundreds of concurrent connections. After running a network scan for all SMTP traffic, we found the infected workstation, removed the virus and promptly modified our GPO to close port 25 on all workstations. Might be worth looking into....

Hi Guitar, Some suggestion for you: 1 You can enable the Protocol Logging to Verbose on Receive and Send connectors and go through those logs located at: C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive & SmtpSend 2 Then you can download the Process Tracking Log tool from the following Web site: http://blogs.technet.com/b/exchange/archive/2008/02/07/3404839.aspx Install it and then check various commands to find - provides the top senders e-mail addresses and the message count, etc. Install on HUB Server and go through most of the options available. 3 Then discuss the option to ExMon - tool can be used to monitor client connectivity to Exchange server. This tool provides client IP, client version etc information to you. Best Regards!

Thanks for the suggestions everyone. The ISP emailed me and said they have not seen any spam activity in a while so they are removing us from their black list.