You receive alerts that a virus or a spam message or mass mailer originated from an IP address that is under your control. You need to know what to do about the problem.  Your organization may be on a blacklist.

Take the following actions to determine whether the problem originated from your organization:

• Verify that the computer from which the offended email originated is free of viruses.
• Verify that the original message did come from an IP address that is under you control.
  For tips to make this determination, see the References section of this page.
• Make sure that your Exchange server does not function as an open relay.
• Determine whether your firewall administrator has any logs that include the unauthorized outbound connection on port 25.
• Restrict outbound SMTP traffic such that only certain machines are allowed to send email out of your environment. The best location to make this restriction would be at a perimeter firewall or switch that all outbound port 25 traffic would pass through. Configure its settings so that only your mail server, SMTP gateway, or mission critical servers that need to SMTP data outbound may do so.
  
   

References
For instructions on how to determine the origin of an email message, see the following Frequently Asked Questions (FAQ) page:

• FAQ: Spoof email

To determine whether your Exchange server is an open relay, read the following Microsoft articles:

• How To Examine Relay Restrictions for Anonymous SMTP Connections and Filter Unsolicited E-mail Messages in Exchange 2000 Server (MSKB313395)
• How to block open SMTP relaying and clean up Exchange Server SMTP queues in Windows Small Business Server (MSKB324958)

Your Windows Help files also contain information to help you enable SMTP logs so that you can track SMTP commands that your SMTP virtual server receives. You can enable these logs to help identify the sources of the messages.