Your session log should show something like:

[quote]

FOR CRAM-MD5

13:48:28.243: >> EHLO [192.168.0.3]<cr><lf>
13:48:28.246: << 250-mail.mydomain Hello [192.168.0.3]; ESMTPs are:<cr><lf>250-TIME<cr><lf>
13:48:28.249: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
13:48:28.251: << 250-AUTH=LOGIN<cr><lf>
13:48:28.253: << 250 HELP<cr><lf>
13:48:28.265: >> AUTH CRAM-MD5<cr><lf>
13:48:28.268: << 334 -munged challenge hash-<cr><lf>
13:48:28.282: >> -munged response hash-<cr><lf>      << Base64 decode this line to get the username + morehash
13:48:28.282: << 235 Authentication successful.<cr><lf>
13:48:28.295: >> MAIL FROM:<user@mydomain><cr><lf>

FOR FOR AUTH=LOGIN

14:08:19.268: >> AUTH LOGIN<cr><lf>
14:08:19.275: << 334 VXNlcm5hbWU6<cr><lf>
14:08:19.369: >> -munged base64 username<cr><lf>
14:08:19.369: << 334 UGFzc3dvcmQ6<cr><lf>
14:08:20.461: >> munged base64 password<cr><lf>
14:08:20.461: << 235 Authentication successful.<cr><lf>

 [/quote]

If you get no AUTH lines in your session log, then Thomas is right, and you are a (partially) open relay  [:O]

Hi,

 Under my MercuryS Connection Control. I checked

- Authenticated SMTP connections may relay mail
- Only Authenticated SMTP connections may relay mail.

So, every users need to have a correct username/password pair before able to relay a mail.

I have been using this setting for 2 years.Recently I noticed something strange.

My MercuryS accepted relaying coming from an unknown ip address sending junk to multiple email address.
- the from email address is admin@mydomain.com
- the to email address consist of multiple unknown email addresses.
- the connection from ip address is different every time.

My guess is that one of my client notebook connecting to my server is infected with a virus or something.
Is there a way to find out which username/password was used for authentication since MercuryS allowed it to relay?
So, I can quickly identify the culprit user and I dun think it is admin@mydomain.com

A mercS session log should tell you.

Could be any user/pass combo in your smtp auth file.

Maybe a brute force / dictionary attack has succeeded, and the info been passed to the bots. [8o|] 

FWIW I have some transflt.mer rules that reject (and blacklist) any attempts to send mail from admin@mydomain, postmaster or any other local-only (or static ip) addresses. The local & static ranges/ip's are exempted from trans filtering.

[quote]

M, "*admin@mydomain*", BS, "554 Fraudulent MAIL FROM"

[/quote]
 

[quote user="kb1811"]

Hi,

 Under my MercuryS Connection Control. I checked

- Authenticated SMTP connections may relay mail
- Only Authenticated SMTP connections may relay mail.

So, every users need to have a correct username/password pair before able to relay a mail.

I have been using this setting for 2 years.Recently I noticed something strange.

My MercuryS accepted relaying coming from an unknown ip address sending junk to multiple email address.
- the from email address is admin@mydomain.com
- the to email address consist of multiple unknown email addresses.
- the connection from ip address is different every time.

My guess is that one of my client notebook connecting to my server is infected with a virus or something.
Is there a way to find out which username/password was used for authentication since MercuryS allowed it to relay?
So, I can quickly identify the culprit user and I dun think it is admin@mydomain.com

[/quote]

 This almost looks like relaying is either not turn off or strict is not set.  Verify that the top two options about strict and relay are in fact checked and not just greyed out.

Dil, Session logging do not show which user/pass used. I will try the trans filter.

Thomas, strange but worth a try.

Thanks.