Hi, Our server has been compromised by an outside session using an internal name/password, and our E2K server queues keep on filling up. I have had up to 400 queues created over night and some of the queues can have well over 600 messages each waiting to be sent (I have frozen most of my queues as a precaution). These relays are being set up after we are closed. I am curious to see if anyone can answer the question of who would have the rights to create a remote session to relay? Does it have to be an admin account or can it be a standard user? I have eliminated the Fire Wall by placing it on the restrictions for the SMTP. and have unchecked the allow all to relay. So I am stumped as to how they are still being able to set up the relaying. My next plan is a forced network wide password change, after that...... I have to come up with a "Plan C". I am having the problem of trying to convince the powers that be, that all user accounts need to have their passwords changed in order to eliminate this hack. I am also recommending that our Domain Admin accounts be made into guest accounts and new Domain Admin accounts be created. Does anyone have any other suggestions and or reading that I could do. So far I have found very little on this type of attack. Thanks for your help! Ken