How to tell who is sending mail.....?

[supercoups]

I am running Exchange 5.5 on an NT 4.0 box. It seems that an unwanted indivdual has been sending email out of my exchange server from out side the LAN. The only way this can be done is if they were able to authenticate on my Exchange box. How can i tell which user they are authenticating as? Is there some logging that can be turned on?

Thanks,
Jim

 

[remain]

you could turn on logging on the IMC. Depending on how much mail you send out it will accumulate FAST. and it's a pain in the neck to go through.

I'm guessing however that they aren't actually sending mail out of your server, they are just spoofing it to make it look that way.

 

[supercoups]

I did turn on the IMC logging and it seems that foreign domains are making successful connections. But it doesn't tell me who they are connecting as.....Examples:

A new TCP/IP SMTP connection has been made to host 209.58.220.225 (for mails.ch). Logfile: L0000002.LOG

How was Mails.ch able to make a connection through my server to the address 209.58.220.225 which is the host at my isp?

Thanks,
Jim

 

[DColcl]

Hey Jim.
About a year and a half ago I had an issue with spammers getting to my 5.5 box and relaying mail. I searched high and low for the issue of how these folks were able to do it. My IMC outbound was flooded (2k emails and up) with relaying messages.

Finally, I decided to check the 'local' admininstrators account and password and found that the server had been setup with.....get this.....no password! ugh! Once I changed this st00pid oversite they all stopped.

Maybe this person knows the local admin password and, therefore, able to conenct and relay mail.

Hope this helps, bro. And GL.

Danny