Hi,
I am looking at turning on diagnostic logging in the registry to look for compromised accounts as i have an internal issue with spam being sent from and internal exchange server outbound.
In Exchange 2003, completing the following steps allowed me to see what account(s) were sending the spam
1.On the Exchange Server go to Regedita.Find the following Registry Key: HKEY_Local_Machine>System>CurrentControlSet>Services>MSExchangeTransport>Diagnostics
b.Turn on diagnostic logging. Change the value to 7 on the following Keys
Routing Engine
Categorizer
Connection Manager
Queuing Engine
Exchange Store Driver
SMTP Protocol
NTFS Store Driver
NDR
Authentication
No server restart needed
2.Go to Eventvwr>Application
a.Filter for EventID 1708 MSExchangeTransport
b.See the message below it shows that the admin account has been compromised
Is there an alternative method in Exchange 2010