AgregIT
asked on
Exchange SMTP queue keeps adding spam messages
Hello Experts,
I have an issue I hope someone can help me with. I have a client who has Windows 2003 SBS utilizing Exchange. The SMTP queue keeps adding 10000 to 20000 messages per minute. I have checked the Firewall, verified it is not configured as a relay, checked for Viruses and spyware. Last night I looked into the issue remotely. I had all computers in the building powered off and the queues still kept piling up. Next, I disabled all AD account except the domain admin account. That password was changed to a highly secure password. Same results. Please help and thanks in advance.
I have an issue I hope someone can help me with. I have a client who has Windows 2003 SBS utilizing Exchange. The SMTP queue keeps adding 10000 to 20000 messages per minute. I have checked the Firewall, verified it is not configured as a relay, checked for Viruses and spyware. Last night I looked into the issue remotely. I had all computers in the building powered off and the queues still kept piling up. Next, I disabled all AD account except the domain admin account. That password was changed to a highly secure password. Same results. Please help and thanks in advance.
ASKER
Thanks for the info. I did a relay check at http://www.mailradar.com/openrelay/ and most of the relay test failed. Not sure how that is. I checked Event viewer and did not see event id 1708 in any categories. Also, relay is not enabled. I initially thought virus and shutdown every other computer in the building. Queues still kept building.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found what was causing my server to show as a relay. I unchecked the 'all except the list below' and no the relay test pass. Queues are still filling, but the submission dates show to be yesterday and the day before. I'm going to bring SMTP down after hours and run another set of virus and spyware scans and verify the machine is clean.
Yes also follow the tip to reduce your queues into 1 queue so you can mass delete the messages. Then create new SMTP connector and hopefully all good.
Hope you get this resolved and hope my advise helped you find the cause.
Hope you get this resolved and hope my advise helped you find the cause.
ASKER
The queues are still filling...not nearly as fast as before.
Have you re-checked for 1708 events.
Are you sure ALL pc's have passwords and are fully virus free?
Are you sure ALL pc's have passwords and are fully virus free?
ASKER
I have not checked all of the PC's but they were all powered off last night while testing. I'm going to run scans on all of the computers, then power them off, and then verify the Server is clean. I'm going to then stop SMTP and clear the queues using Aqadmcli.exe. And then keep my fingers crossed....
I still had queues building when all pc's were off which was odd.
I used Trend Micro for antivirus.
I worked on the issue for 2 days, then Trend released a patch which picked up some viruses on a PC.
Def have all PC's on and check the 1708 event id. This is the key to isolating the issue, trust me.
I used Trend Micro for antivirus.
I worked on the issue for 2 days, then Trend released a patch which picked up some viruses on a PC.
Def have all PC's on and check the 1708 event id. This is the key to isolating the issue, trust me.
I presume you have taken all steps to stop server as relay etc
ASKER
yes...used smtp tools from mxtoolbox and http://www.mailradar.com/openrelay/...all passed.
Thanks for the info. I will certainly do that this evening.
I use Nod32 and Malwarebytes.
Thanks for the info. I will certainly do that this evening.
I use Nod32 and Malwarebytes.
Ok. Good luck. I do symathise. It can be a nightmare.
Carefully read all the advice in my posts and links and fingers crossed for you
Carefully read all the advice in my posts and links and fingers crossed for you
ASKER
thanks
ASKER
Saga continues. All machines were thoroughly scanned and cleaned. No viruses on the Network. During testing, all PC's were powered off. Found some interesting info in Exchange tracking and the event viewer. The Exchange tracking log shows thousands of Emails sent coming from sender test@itsv.cn. The Client IP is 72.54.xxx.xxx with the partner name being the Server name. So I setup a sender and connection filter globally and applied it to the virtual SMTP Server. Setup to block incoming and outgoing mail to the IP listed above, and to block Email being sent from the @itsv.cn address. I restarted the smtp service...Emails still building in the queue. I cleared the queue this morning and there were around 20000 messages over about a 6 hour period. There are some postmaster failures (which sending NDR messages has been disabled), but 95% are coming from the @itsv.cn address to random email addresses. I even went a step forward and had my ISP block all incoming traffic from the 72.54.xxx.xxx address.
Any ideas?
Any ideas?
Have you scanned the exchange server?
Do you have a spam filter in place on the server or 3rd party host?
I still think there is a rogue PC on the network or virus on exchange server.
May be a case of changing ALL Pc and server passwords.
What antivirus do you have on your server?
I presume its all patched etc?
Do you have a spam filter in place on the server or 3rd party host?
I still think there is a rogue PC on the network or virus on exchange server.
May be a case of changing ALL Pc and server passwords.
What antivirus do you have on your server?
I presume its all patched etc?
ASKER
All patched - yes
Windows 2003 SBS with Exchange - We have an external Spam filter host.
Server was scanned last night. Using Nod32 In Depth scan and Malwarebytes full scan
Windows 2003 SBS with Exchange - We have an external Spam filter host.
Server was scanned last night. Using Nod32 In Depth scan and Malwarebytes full scan
Hmmm. Have you spoken to your external spam host to check all is ok at their end.
I still think rogue PC on network has kicked it off.
I still think rogue PC on network has kicked it off.
ASKER
That's what I though as well. All COmputers were cleaned and then shutdown before the Server was cleaned. I then shutdown Exchange and cleaned the Server...Rebooted and the queue started climbing as soon as I enabled Exchange again.
At this point I may request a public IP address change from my ISP.
At this point I may request a public IP address change from my ISP.
Strange that you get no 1708 events on the exchange server though. Are you sure about this when look at the history. Arrange list by Event ID and check
I was using Trend Micro and Malwarebytes on my system. All reported non-infected or virus was cleaned and quarantined. And the 1708 ID led me to a specific PC.
Once i changed password on that PC and rebuilt. Then cleared out all exchange queues and changed filter etc it was fine.
PS have you enabled full logging on exchange so show 1708 ID's?
Once i changed password on that PC and rebuilt. Then cleared out all exchange queues and changed filter etc it was fine.
PS have you enabled full logging on exchange so show 1708 ID's?
ASKER
I have...no 1708 entries. only 1019 and 1025
None at all?
Set Transport Logging to Minimum. This way the SMTP service will log a 1708 Information event which tells you which client computer authenticated, which login method they used, and which user account was used. You can use the Event Viewer to view these event log entries, filter for event ID 1708 in the Application Log.
Enable Local Policies / Audit policy / Audit account logon events in the Global Policy and you will see which users have authenticated successfully. This information can be viewed in the Windows Event Log (Security log). This log will include other authorization events, so check only those events where the mail send times coincide with the successful account logons
Set Transport Logging to Minimum. This way the SMTP service will log a 1708 Information event which tells you which client computer authenticated, which login method they used, and which user account was used. You can use the Event Viewer to view these event log entries, filter for event ID 1708 in the Application Log.
Enable Local Policies / Audit policy / Audit account logon events in the Global Policy and you will see which users have authenticated successfully. This information can be viewed in the Windows Event Log (Security log). This log will include other authorization events, so check only those events where the mail send times coincide with the successful account logons
ASKER
I filtered the application log in the event viewer and there are no Event 1708 entries.
DO you know which entries to check for users that have authenticated? I was running a net sessions to see which users were in the Office and I saw 2 strange entries that went away after 10 secnds. One account was servername$ (with server name being the server node name) and the other showed Office4$. Did not show an actual username we have in the Office. All other sessions show the user's username..example entry woiuld show the computer IP address and the user tsmith and idle time.
DO you know which entries to check for users that have authenticated? I was running a net sessions to see which users were in the Office and I saw 2 strange entries that went away after 10 secnds. One account was servername$ (with server name being the server node name) and the other showed Office4$. Did not show an actual username we have in the Office. All other sessions show the user's username..example entry woiuld show the computer IP address and the user tsmith and idle time.
Have you:
Set Transport Logging to Minimum. This way the SMTP service will log a 1708 Information event
Set Transport Logging to Minimum. This way the SMTP service will log a 1708 Information event
ASKER
I checked the event viewer and noticed 30000 events like the one below. Seem to be coming in every 4 seconds or so.
Checking the transport logging now
Service Ticket Request:
User Name: Servername@domain.local
User Domain: domain.LOCAL
Service Name: krbtgt
Service ID: domain\krbtgt
Ticket Options: 0x60810010
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
Failure Code: -
Logon GUID: {111bab6c-1c6a-17fd-2232-a cc9a6ac5bd 5}
Transited Services: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Checking the transport logging now
Service Ticket Request:
User Name: Servername@domain.local
User Domain: domain.LOCAL
Service Name: krbtgt
Service ID: domain\krbtgt
Ticket Options: 0x60810010
Ticket Encryption Type: 0x17
Client Address: 127.0.0.1
Failure Code: -
Logon GUID: {111bab6c-1c6a-17fd-2232-a
Transited Services: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
Set Transport Logging to Minimum for SMTP
OK good. that way you should get the 1708 event begin to be listed after a while.
Hopefully this will chow you which PC/User is repeatedly authenticating with exchange.
Fingers crossed it gives some clues.
Hopefully this will chow you which PC/User is repeatedly authenticating with exchange.
Fingers crossed it gives some clues.
ASKER
good deal
ASKER
Tons of mail coming through..no 1708's coming across
OK, give it time maybe.
Also the Service Ticket Request you showed before lists 127.0.0.1 which will be the server itself. Not sure if that is an issue.
Should the server be authenticating constantly?
Also the Service Ticket Request you showed before lists 127.0.0.1 which will be the server itself. Not sure if that is an issue.
Should the server be authenticating constantly?
ASKER
Not that ofter...a rate of every 4 to 10 seconds
Do you use malwarebytes proffessional on the server?
ASKER
Yes. That's the first thing I did was verify the Server was not set as a relay. I've done two test from two different sites to verify
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First step, open a telnet session to the exchange server on port 25. (Download putty, enter the IP address, select telnet, change port to 25, then connect)
Next, enter these commands:
Does it accept the message?
Next, enter these commands:
helo bogus.com
mail from:<bogus@foo.bar.com>
rcpt to:<morebogus@morebogus.foo.bar.com>
data
subject: This is a bogus message
Still bogus.
.
Does it accept the message?
I has same issue and virus definition was not released until 3 days after issue happended. All PC's i scanned seemed clean.
Check in Event Log for ID 1708. This should tell you which user the spams are being sent from. Then go to that PC and change password and either disinfect or rebuild.
See my prvious post:
https://www.experts-exchange.com/questions/27818501/Spam-Exchange-2007.html