Our server has recently started sending out spam. It is not an open relay, but a spammer has guessed the username and password for one of our user accounts. I know this because I saw thousands of "audit success" events for this user in the event logs. I have since changed the password on this account and the spam has stopped (and now I'm getting thousands of "audit failure" events for that same user).
The outgoing spam has stopped for now, but I need to address the REAL problem, which is that any authenticated user can send email FROM any EXTERNAL address. In fact, the user account used by the spammer to authenticate wasn't even a mail-enabled account!
This seems like a pretty serious breach of security with a seemingly simple solution: only allow the server to send emails with addresses from our domain. But I've searched everywhere and can't seem to find a setting to prevent authenticated relay FROM external addresses by an authenticated user.
Please help!
Darren