If you have relay access control properly configured, only authenticated users should be able to relay mail through your server. If you are still seeing messages being relayed, then it’s possible a user account has been compromised. This will allow you to see which users are relaying mail so you know which account has been compromised.
Set Transport Logging to Maximum. This way the SMTP service will log a 1708 Information event which tells you which user account authenticated and which login method they used. You can use the Event Viewer to view these event log entries, filter for event ID 1708 in the Application Log.
- Start Exchange System Manager.
- Expand Servers, right-click Your_ Server_Name, and then click Properties.
- Click the Diagnostics Logging tab, and then click MSExchangeTransport under Services.
- Under Categories, click the Authentication category.
- Under Logging Level, set the level to Maximum
Now the next time somebody tries to relay mail through your server, an event 1708 will be written to the Application log. The event will contain the username that was used to authenticate.
Exchange Server 2003