Question : Spam/Open relay?

Hi There experts, I need your help!

One of my exchange 2003 relay servers notified me of an excessive mail queue last night. I had a look and there were 3000 mails all reporting to have the source of one of my clients servers and the destination addresses were all variations of [email protected].  I disabled my out bound email and went onto the exchange server that the email was originating from.  

Its an sbs 2003 box with no open relay, however there were 40,000 emails queuing to get out, again with a similar email address origin.  I looked at my Virtual SMTP server sessions and found three IP addresses connected hundreds of times.  

In order to resolve this I disabled the outbound queue from the sbs box and terminated the virtual SMTP server connections and then double checked that the exchange server was no configured as an open relay.  Went to the queues in windows explorer and deleted all the email.  Before I did that I had a look at the content of a message which is as appears below:

%BOY

ª´ºÀ¤èªö-ª@ÄR´@¤Q¦r¬[¨®¤u¤K¤ß¤K½b¤èÆp§Ù«ü

%BOY

Oddly this doesnt appear to be spam email as such, so I wondered what the pupose of this was.

I ran windows updates on my server, just incase there were any holes I was unaware of and rebooted the server.

I then added the offending IP addresses to the access connection control deny list under the virtual SMTP server properties.  Started the SMTP service and then monitored for a few minutes.  It seemed to be ok, so I left an went out to the movies, when I got back another IP had connected and a similar issue had occured this time I was seeing these addresses [email protected]t.  I carried out the same procedure again adding the IP to the deny list and it stopped.  This morning when I checked the same happened again, and again this afternoon.

I've examined the SMTP logs, but nothing is really helping.  The last time I resolved the issue, I saw that the connection to my SMTP server had two identities:

USER: 1.2.3.4 [the sbs server external IP]
FROM: 1.2.3.4 [the IP that I added to the deny list]

The user ID tends to vary, but I think thats a red herring, however each time I block an IP more seem to take their place.  I've looked at the logs and they are reporting just what i was seeing.

How can I stop this from happening??

I hope all the above makes sense and I have log files if additional information is required.

Answer : Spam/Open relay?

You mention its not an open relay and yet its accepting email from random addresses for delivery ? if your adding IP's to a deny list and thats blocking it does suggest its a relay. Are their any odd entries on the Allow list ? and are you 100% sure its not setup to allow relaying ?