Received 60.234.149.210 .... "Body has arrived, Relay=smtpauthHIDDEN@@DOMAIN.NAME,

      ChrisP.

I've looked at this as well.  Nothing in the status advanced view shows me which user accounts are authenticating when these spam messages are slipping through.  The only thing I can think to do now is to manually reset the passwords for all of the accounts on this box.  It's a few hundred addresses across about 40-50 domains...

Douglas Ward
IT Director
NC Methodist Conference

On Wed, Nov 24, 2010 at 9:28 PM, Lyle Giese <lyle@lcrcomputer.info> wrote:

The headers should show the orginating IP address.  Use that to track down connections under the advanced view in Status.  Should help narrow it down.

Lyle Giese

dward@nccumc.org <dward@nccumc.org>
Date: Wed, Nov 24, 2010 at 4:54 PM
Subject: Compromised mailbox allowing spam relay
To: surgemailHIDDEN@etwinsite.com

Happy Thanksgiving!

I have discovered today that one of the accounts on my surgemail server has been compromised.  It appears that a spammer has brute forced a password to relay authenticated mail through our mail server.  Unfortunately, I cannot find any trace within the surgemail logs which account is compromised.  I have checked all of the log files and all I see is the spoofed to/from fields.  The account used to authenticate to the surgemail server is nowhere to be found.  How can I find this?  Once I change this password all is well and I can go back to my vacation.  Any help you might offer would be most appreciated.  Thank you in advance!

Douglas Ward
IT Director
NC Methodist Conference