RayBunch
asked on
It started with an "SMTP Server Remote Queue Length Alert" on my exchange server 2003
To begin with I am administrating a Small Business Server 2003 which is running Exchange Server 2003.
NOTE: Since My machine\doman names probably won't mean anything to you, I am going to call my sbs server <MyExchangeServer>, which is my Small Business Server 2003 (which is running Server 2003, ISA Server 2000, SQL Server 2000, and Exchange Server 2003), and my domain will simply be <mydomain>.com.
It started with me receiving an email titled: "SMTP Server Remote Queue Length Alert on <MyExchangeServer>"
With this as the body:
<begin>
A large number of messages are pending in the e-mail server send queue.
Verify that you have Internet connectivity. If you can view Web sites normally, contact your Internet service provider (ISP) to determine if there is a problem with their e-mail server.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
<end>
From here I go to my server and open "Microsoft Exchange->System Manager" and go to
"Servers-><MyExchangeServe r>->Queues ". In here I find about 70-80 'SmallBusiness SMTP Connectors' with messages pending. Wierd. So I open one up to discover that the email it is trying to send is from 'postmaster@<mydomain>.com '. I definately didn't send this. I have closed down open relaying for my server as per the Microsoft Knowledge Base Article - 324958, so this isn't a open relay problem, at least according to Microsoft's Knowledge Base.
To make this even more bothersome, I ran s Server Usage Report and it reported that in the last two weeks my administrator account had sent out 19,415 emails (116.7 MBs worth). I definately didn't do this. I am assuming that someone is using my Exchange Server to send Spam somehow.
Is there any way to configure my Exchange server to block this? Or is this something that I should Configure my firewall to block (it's an ISA Server 2000)?
Any help on resolving this would be appreciated. Among my IT Admin friends most don't have a clue how to fix this, and a few are having this problem themselves.
NOTE: Since My machine\doman names probably won't mean anything to you, I am going to call my sbs server <MyExchangeServer>, which is my Small Business Server 2003 (which is running Server 2003, ISA Server 2000, SQL Server 2000, and Exchange Server 2003), and my domain will simply be <mydomain>.com.
It started with me receiving an email titled: "SMTP Server Remote Queue Length Alert on <MyExchangeServer>"
With this as the body:
<begin>
A large number of messages are pending in the e-mail server send queue.
Verify that you have Internet connectivity. If you can view Web sites normally, contact your Internet service provider (ISP) to determine if there is a problem with their e-mail server.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
<end>
From here I go to my server and open "Microsoft Exchange->System Manager" and go to
"Servers-><MyExchangeServe
To make this even more bothersome, I ran s Server Usage Report and it reported that in the last two weeks my administrator account had sent out 19,415 emails (116.7 MBs worth). I definately didn't do this. I am assuming that someone is using my Exchange Server to send Spam somehow.
Is there any way to configure my Exchange server to block this? Or is this something that I should Configure my firewall to block (it's an ISA Server 2000)?
Any help on resolving this would be appreciated. Among my IT Admin friends most don't have a clue how to fix this, and a few are having this problem themselves.
Make sure that your antivirus software is not scanning the exchange directories.
Check to see if the server is being authenticated against. There have been quite a few instances where Spammers check for weak passwords and use these accounts to authenticate against SMTP. Once they successfully authenticate,
they can send to whomever they please. Turn up SMTP Protocol Logging on the server to Maximum. Look for events 1708. This event will identify the account being used to authenticate. Note that remote users who use POP3
clients will also show 1708 when the authenticate to send.
Change the administrator password
they can send to whomever they please. Turn up SMTP Protocol Logging on the server to Maximum. Look for events 1708. This event will identify the account being used to authenticate. Note that remote users who use POP3
clients will also show 1708 when the authenticate to send.
Change the administrator password
ASKER
The Password I use for that account is pretty strong. I would have a hard time believing that it was compromised hundreds of times in the last month or so (That is how long the exchange server has been up)
Also about two weeks ago I had my antivirus software stop scanning the exchange folders as per Microsoft Knowledge Base Article - 823166. Is this enough, or is there something else that needs to be done?
I will change the logging and look for the 1708 events. More on that later.
Also about two weeks ago I had my antivirus software stop scanning the exchange folders as per Microsoft Knowledge Base Article - 823166. Is this enough, or is there something else that needs to be done?
I will change the logging and look for the 1708 events. More on that later.
It doesn't have to be your account - it can be any account on the server.
If you don't have anyone sending email via SMTP (Outlook Express users for example) then you can turn the feature right off. It doesn't affect delivery of email by Exchange in any way.
Simon.
If you don't have anyone sending email via SMTP (Outlook Express users for example) then you can turn the feature right off. It doesn't affect delivery of email by Exchange in any way.
Simon.
ASKER
Simon - I don't quite follow what you mean by "It doesn't have to be your account - it can be any account on the server."
When I look at the individual SMTP Connections, there are anywhere from 1-10 emails undelivered.
When I click on Find Now, It lists the emails and under sender it lists 'postmaster@<MyDomain>.com .
I don't understand how they are doing this, but the only email account that they are using this way is the postmaster email.
I thought that the Exchange Server needs the SMTP Connectors to route things properly?
When I look at the individual SMTP Connections, there are anywhere from 1-10 emails undelivered.
When I click on Find Now, It lists the emails and under sender it lists 'postmaster@<MyDomain>.com
I don't understand how they are doing this, but the only email account that they are using this way is the postmaster email.
I thought that the Exchange Server needs the SMTP Connectors to route things properly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't think that a password has been compromised on my system. My system only allows "strong" passwords as Microsoft defines it. Also my system has only been up for about 1 month. (I transitioned my company from Mac's to PC's, so almost all the computers are new)
For the postermaster@... most of the smtp connectors on my system are from postmaster@... , since postmaster is used for bounced email, is it unusual to have about 60-70 smtp connectors waiting to deliver mail that is bounced (which I will assume is why they are from postmaster in the first place. - this makes more sense to me than my accounts were compromised).
I noticed that in the last two weeks I had about 19,000 emails being sent from my admin account (which postmaster is attached to), I am assuming that this is too much. However I did migrate the email accounts from the mac network to the pc one, and I guess I could be getting a lot of spam from those old account, especially the ones I expired.
I will try the Recipient Filtering and see it that works. I will write more when I figure out if that worked.
Ray
For the postermaster@... most of the smtp connectors on my system are from postmaster@... , since postmaster is used for bounced email, is it unusual to have about 60-70 smtp connectors waiting to deliver mail that is bounced (which I will assume is why they are from postmaster in the first place. - this makes more sense to me than my accounts were compromised).
I noticed that in the last two weeks I had about 19,000 emails being sent from my admin account (which postmaster is attached to), I am assuming that this is too much. However I did migrate the email accounts from the mac network to the pc one, and I guess I could be getting a lot of spam from those old account, especially the ones I expired.
I will try the Recipient Filtering and see it that works. I will write more when I figure out if that worked.
Ray
ASKER
Thanks Simon!! You a genius! That worked. (The filtering recipients thing)
Ray
Ray
Few points away from being a genius just yet. Just a plain guru at the moment.
Glad to hear you have it working.
Simon.
Glad to hear you have it working.
Simon.
Hi
I have same problem on Exchange 2000, how do I resolve? (There is no option to Filter recipients not in the directory)
Thanks
I have same problem on Exchange 2000, how do I resolve? (There is no option to Filter recipients not in the directory)
Thanks
If you are using Exchange 2000 then you will need a third party application - such as GFI Mail Essentials.
Simon.
Simon.
Won't enabling the recipients filter block outbound e-mail to everyone that is NOT in Active Directory? How is this useful? Does that mean e-mail sent to some other domain or (company) will fail?