I have noticed huge amounts of email going to random .com.tw domains. My Exchange event log its erroring with them every few seconds. I am wondering is it possible to see which computer this is coming from maybe its a virus? Has anyone had similar experience with this? Im running Small Bussiness Server 2003.
Thanks,
Are you running an Open Relay? If not then I believe you do have a virus. It's time to find the culprit, do that fast otherwise you'll get your domain blacklisted. Something like this happened to me a long time ago and it was I was running an open relay.
Run this site to see if you're running an Open Relay: http://www.checkor.com/
Check this thread for more info on the sending spam: Recommendations for handling Directory Harvesting spam on Exchange 2003
You should be able to turn up the SMTP logging using the Exchange console. It is on the Diagnostics tab, SMTP transport. Then you will have a log written to your Logs folder under your Windows directory for the SMTP service which should capture the SMTP conversation between the client and your exchange server leading you to the offending machine.
It is possible that this traffic is back-scatter. If incoming email is being addressed to "aabbccddeeeff@[yourdomain]", you'll get outbound mail destined to the listed MAIL FROM: address, as a delivery-status-notice gets sent informing them that no such user exists on your system. This is a form of directory-harvest attack that relies on an actual receiving mailbox to determine which addresses did NOT result in a DSN being sent and are therefore valid email addresses.
Are you running any type of AV on your mail server? What are some of the errors you are seeing, can you post a screenshot of them?
