We have an issue here where several users replied to a spammers email asking for their passwords. (I know, it really wasnt even that good of an email) A few of these account are sending out spam, and we have been changing passwords and blocking IP address, but we dont see a way to knock off the active connection that the spammers have to exhcnage 2007, I recall a way to do this in 2003, but I cant seem to find it now. Is it possable to disconnect them? Suggestion very welcome. Thanks!!!!

Are you using EDGE servers or HUB server is in direct connection from Internet? Regards Matjaz

We are using HUB, and that goes to Proofpoint. Our CAS servers are on the net.

Killing their connections will only force them to create new connections. Why are your transports servers allowing relay from an external IP? Just restart the transport service, that will kill any current connections.Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007 / 2010

Its not a relay, they actually have the users passwords. We see the connections from Nigeria, and we change the passwords on the account. but the spammers still have a connection and send mail. We have been disconnecting the mailboxes currently, and that seems to work. We thought about restarting the Transport, but that will kill all connections, legitimate or not. Not an option for us.

Sorry but I still do not understand your mailflow architecture. Proofpoint is accepting e-mails from Internet? Where or how do you see there are connections from Nigeria? Regards Matjaz

Well, it is a relay, it's just authenticated ;). Why do you allow that? Is there a business requirement for authenticated relay? And after you restart the Transport service, the legitimate connections will reconnect.

Change the users' passwords, then restart IIS, as it is probably coming in through OWA. That will break the connection. You can also restart Exchange Transport. Without changing the user's passwords, then everything you do is a waste of time. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources