The headers should show the orginating IP address.  Use that to track down connections under the advanced view in Status.  Should help narrow it down.

Lyle Giese

dward@nccumc.org wrote:

Additional information: After finding a legitimate e-mail in the queue I found an X-Authenticated-User field in the message header.  The spam messages do not have this field in their header records.  Any thoughts on how I can track this down?

Douglas Ward
IT Director
NC Methodist Conference

---------- Forwarded message ----------
From: dward@nccumc.org>
Date: Wed, Nov 24, 2010 at 4:54 PM
Subject: Compromised mailbox allowing spam relay
To: surgemailHIDDEN@etwinsite.com

Happy Thanksgiving!

I have discovered today that one of the accounts on my surgemail server has been compromised.  It appears that a spammer has brute forced a password to relay authenticated mail through our mail server.  Unfortunately, I cannot find any trace within the surgemail logs which account is compromised.  I have checked all of the log files and all I see is the spoofed to/from fields.  The account used to authenticate to the surgemail server is nowhere to be found.  How can I find this?  Once I change this password all is well and I can go back to my vacation.  Any help you might offer would be most appreciated.  Thank you in advance!

Douglas Ward
IT Director
NC Methodist Conference