IanMorr

Thanks everyone for your help and advice, still haven't found the culprit internally, but half the company has Friday off, so it could have been a laptop user. I will leave the mail server NAT'd to this IP and NAT the LAN to a different one. Thanks again.

Nope, there's no explanation I can think of other than that I've got a virus somewhere on the LAN. Thanks for highlighting that. I'll keep an eye on that stat over the weekend. Since we've now blocked port 25 from the LAN it should decrease. And at some point soon the culprit will pop up in my firewall logs. Once this is cleaned up, I'd like to NAT the mail server to its own unique external IP address, this should make troubleshooting easier, but is it considered bad form? I knew about this block because a mail was rejected by an external recipient. If a non-mail server address is spewing spam out and my ISP gets notified, but doesn't notify me then what? Do you know if this updates in real time? Should I be seeing drops in the percentage already if I've caught this or will I need to wait until this time tomorrow?

Thanks for the advice. I've emailed the deputies and will wait for their response.

One of my two outgoing mail servers was listed. ---- <tulsmtp02.willbros.com #5.0.0 X-Postfix; host sv1.westfallcomputing.com[209.223.47.84] said: 554 5.7.1 Service unavailable; Client host [12.41.208.210] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?12.41.208.210 (in reply to RCPT TO command)> ---- It appears to have just delisted, but a couple of hours ago returned: ---- 12.41.208.210 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week ---- I thought I was locked down pretty tight, but I guess I'm 0 for 2. I've done a little digging around, tightened a couple of things and I would appreciate any suggestions on where else to look. Our incoming mail goes through Vamsoft's ORF, then Trend's IMSS before being passed to Exchange 2003. Outgoing is sent from the IMSS box. Both NAT to 12.41.208.210. They sit in the DMZ and they're not doing AD lookups, so they're not checking for valid addresses. Exchange is handling the bounces for any mail that gets through. I don't allow OoO responses to Internet recipients, but I do send NDR's. The business wants them, and since almost all incoming spam gets dropped by ORF or quarantined with no response by IMSS, I felt most NDR's that went out from Exchange would be legit, so it hasn't been a hill I'm willing to die for. Should it be? If these are indeed the culprit then I guess allowing ORF to do AD lookups would be a better solution for NDR's, but I anticipate a fight with the network security guys. I did get a bunch of reports of the "greeting card" spam being caught by our anti-virus, so some may have slipped through. Workstations all run McAfee VirusScan 8.0, with port 25 blocked. The policy is enforced through ePO, but we've had VirusScan defeated before and there are sometimes non-company machines on guest networks that would get NAT'd to the same IP. I don't see anything abnormal in the running firewall logs, but don't have a lot of history to look at. I'm now dumping to a syslog server. I've (just now) started blocking port 25 from the users and guests VLAN to the Internet, which will hopefully take care of any more reports. Should I have received copies of these reports in my Postmaster account? I didn't see any, but it gets a lot of crud and my delete finger is sometimes a bit too quick. Thanks for any help or advice you can offer.