I am having this serious problem that I need help with ASAP. I am having a spam relay problem. Someone is in our email system sending a ton of spam. I first noticed it 2 days ago. There were about a thousand messages in the queues. I killed outbound email and SMTP connections. I then wiped the queues out, which was a pain in the a$$. Then I started to look for the problem. Here is what I have found.

Relay is on, with only one internal IP allowed to relay, which is a MFD.
The “Allow all computers which successfully authenticate relay…” is unchecked.
Under relay users there was “Authenticated Users” (I think that is what it said. I just removed it) and I were listed with submit and relay allow checked.
There were only 3 critical updates that were not installed, so I did so.
I ran MS Baseline on it and it only found a few minor things.
Guest is disabled.

I have caught 2 spammers in the SMTP connections. The first one I will call the smart spammer because he does small loads of spam. Usually he does 100-200 message every 4 hours or so. I think if it was just him I might have never noticed. Then there is the stupid spammer. He is new from what I can tell from the logs. He is sending tons of ***** as fast as our mail server will take it. He is the one that made the mail server choke and that’s when I noticed. Now for the part that REALLY has me concerned. The two times I have seen him in the SMTP connections he it shows the user as being Technocrat. Now our network doesn’t have a user name Technocrat on it, it has my real name. I know user on that screen is the server name and not a user. But come on. I guess it could be just a coincidence, but it’s got me really freaked out.

But somehow they are still getting in. My best guess is they must have someone’s username and password. I need help really desperately. We have a couple of high powered users that need to have the ability to relay. So having it off is not an option.

My next thought is to just add the users that need to do relaying and see if that fixes it. But I really want to know how they are getting in.

So I need some suggestions on what to do?
I also need to know if there is a log somewhere for when someone logs in to do relay. I want to know if they are using a user name and password, which one it is so I can fix it.

ANY HELP is welcomed.