Dear All,I found there is a lot of unpredictable messages were trying to send out thru our exchange 2003 server. According to the subject of those messages, I am sure those are spams and are not send out by one of our users intentionally. The relay functionof our exchange server needs authendication for domain users. How can I identify the authendicated sender of these messages?

Check and make sure you are not open for relay.Scan all your client machines and see if nothing is getting generated from inside the domain. Also do a message tracking to fine the where about of these emails.Raj

Thanks Raj!All client machines installed Symanetc Endpoint. The result of tracking message just show the followingSMTP: Start Outbound Transfer of MessageSMTP: Message transferred to though SMTPSMTP: Start Outbound Transfer of MessageSMTP: Message transferred to though SMTPSMTP: Start Outbound Transfer of MessageSMTP: Message transferred to though SMTPSMTP: Start Outbound Transfer of MessageSMTP: Message transferred to though SMTP.......How can I identify which user account send out those messages?

Tought to check the sender's email address. How ever try to track the mails sent to the recipient's thorugh message trackingandand you can list down the sender's name. There are certain reporting tools which can do this for you. Else message tracking is your best friend here.Raj

The sender's email address is fake, it doesn't exists.

Then i think you are probabaly open for relay or its a back scatter spam.Check for open relay http://support.microsoft.com/kb/895853http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htmRaj

Just for supplementMore information about relay in our FAQ, #1--#4: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/d46bf491-0e5b-4b9e-81b3-81c66b6ad81c#1If you wanna check if the mail is sent from internal, you could check your smtp log which contains the IP of client. Thanks,Elvis

Just for supplementMore information about relay in our FAQ, #1--#4: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/d46bf491-0e5b-4b9e-81b3-81c66b6ad81c#1If you wanna check if the mail is sent from internal, you could check your smtp log which contains the IP of client. Thanks,Elvis Hi Elvis,The IP of clients are from outside.

Then i think you are probabaly open for relay or its a back scatter spam.Check for open relay http://support.microsoft.com/kb/895853http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm Raj Hi Raj,The relay is not open, only for authendicated users and listed internal IP.

I removed all internal ip from the relay (relay is only serves for authendicated users now), but those messages still send out everyday. Does anybody can give me advises?

Check if the emails are sent from inside. Check the SMTP logs which clearly tell you the IP from where the mails are getting generated. Run scan on all your client machines for any virus activity.Also have a look at Jeff's comments http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/d46bf491-0e5b-4b9e-81b3-81c66b6ad81c#1Raj

Hi Raj,Thank you so much! Finally I found out which user account has been dislosed.I enabled the log for smtp authentication from the disgnostics logging of the virtual server. And then found out the authenticated account from Application Log when the spam sending out.