We use a external Spam appliance (Mailfoundry) to filter in and outbound mail.

Outbound I have the SMTP service set to send all remote mail to gateway and mail is flowing as expected.

Our firewall is set to block all outbound STMP connections except between the mail server and the SPAM appliance.

I was reviewing the realtime log on the firewall and noticed several blocked SMTP connections from the mail server to different IP's. Strange as the remote mail is set to go to the gateway on the SMTP service.

 I logged into the mail server and ran TCPView and notice many connections from SMTPD32.exe. most where to the SPAM appliance as expected, but a few from SMTPD32.exe where to many different IP's, changing fairly often, I believe the TCPview message on each of them was SYNC_SENT the status didn't change I would suspect because the firewall was blocking them. 

It appears something is sending some mail through SMTPD32.exe and somehow having SMTPD32.exe ignor the send through gateway option. I checked the logs for a few of the IP's in the rogue connections and they weren't found.

Any ideas or solutions please let me know. Hopefully I just missed something, but I'm thinking something has hacked the SMTPD32.exe service

Thanks

Malcom