We've started using netflow to collect some traffic information in our environment. Lately we've seen some network traffic coming from our mail server to external websites. The interesting thing is when you run a query in Exchange to see if a mailbox is sending large amounts of email to these sites nothing shows up. Here's the query; Get-MessageTrackingLog -Server exchange -resultsize unlimited |where-object {$_.Recipients -like "*@othersite.com" -AND $_.EventId -eq "Send"} Could the traffic being sent be from one of the relay's configured in Exchange. If so is there another query that I can run to find out which relay is the culprit. Thanks, D

Hi, You can use the SMTP log to find out the culprit. 1. On Hub transport server, go to c:\program files\Microsoft\Exchange server\transportroles\logs\protocollog\smtpreceive. If you have not enabled the SMTP logging, please refer the followling article to enable the SMTP logging: http://exchangepedia.com/blog/2007/05/exchange-server-2007-logging-smtp.html 2. Open the RECV2010XXXX.log. Search the keyword "@othersite.com". You will find the records like: 2010-07-28T09:14:29.123Z,MB2\Default MB2,08CCFC0F3404CB85,15,192.168.1.2:25,156.168.1.5:1417,<,RCPT TO:<xxxxx@othersite.com>, The first IP address in red 192.168.1.2 is your hub transport server. The second IP address in green 156.168.1.5 is the server who is the real sender of the mail Spam. If there's anything unclear, please feel free to let me know. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks