?
Solved

SMTP Connections Staying Open with Exchange 5.5 IMC

Posted on 2003-10-21
7
Medium Priority
?
432 Views
Last Modified: 2006-11-17
OK, here is the latest crazy problem...

Over the past few weeks our Exchange Server has been getting bogged down with SMTP connections, it seems that they are connecting and doing what they have to but it's just taking forever, so the connections are getting to the MAX of 100 that we have set! Slowly but surly they clear up and the connection count returns to normal. While this is happening you can telnet to port 25 and you can see everything just seems to be moving slowly. We have the diagnostics logging turned on and it rarely shows that any of the connection are timing out. We are also looking and comparing the inbound connections to see if it is a particular server's) causing the problem. There have been no correlations thus far!

It's your typical Exchange 5.5 with IMC running, we also use Antigen v6, it's also being ported through ISA server.

Sometimes it goes for days and everything is fine, then all of the sudden the connections just keep building. If we don't try to fix it by rebooting or stopping the IMC everything usually just works itself out in about an hour.

The machine is regularly defragged,  nothing else running on it, and it is a dual Xeon with 2GB of RAM... I'm at a loss...
It's running a Intel Pro Copper Gigabit card at 1Gb as well.

During the phenomena the CPU is almost idle, and the Hard Drives are chugging, but not extensively?!

Any input would be greatly appreciated!
Rich
0
Comment
Question by:Richw221
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 13

Expert Comment

by:Gnart
ID: 9595432
Could be DOS attack via incomplete TCP handshake or via smtp, most likely it's an attempt to mass relay mail through your server.  Setup trap or debug at our router for traffic from the outside with Exchange as your destination to see what, where, or who is trying or connecting to your SMTP connections.

cheers
0
 

Author Comment

by:Richw221
ID: 9596402
That's exactly what we first expected, however upon packet inspection through the firewall, I can not seem to find a smoking gun as far as seeing the same servers appearing in the connections list. It could still be random attempts to relay though...
0
 

Author Comment

by:Richw221
ID: 9596404
p.s. ..and there is NOT an open relay...
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Accepted Solution

by:
Gnart earned 1500 total points
ID: 9596516
It's a difficult problem.  The possibility relating to an attack would be directly zombies in order to keep a fix on a specific IP address used in the attack.  The surge and quiesce in about half an hour or so could be incomplete three-way TCP/IP handshake - the firewall or firewall/router could be drop those packets over a period of time.  Does a specific group of packets shows a pattern of any kind?  You won't get time-out if the router or firewall sent FIN to both ends and drop the packet.

There is a site setup to analyze attacking pattern.  I don't remember of hand.  When I go back to the CISCO Security class I will see if I can get hold of the name of the site.  Perhaps you can send your traffic for it to analyze.

Did you setup the network monitor on the Exchange server to capture packets for analysis in addition to packet captured at perimeter router and/or firewall?

It will be hard to solve here because the log is surely needed for analysis.  Try this next time it surges, choke off incoming SMTP traffic to see how quickly it quiesce.

cheers
0
 

Author Comment

by:Richw221
ID: 9628307
Well it seems that a majority of the traffic was from a group of SPAM servers that were not black listed by antigen... so we just blocked them DIRECTLY from the Exchange 5.5 SMTP connections properties by adding the following IP addresses and ranges...

69.59.0.0 using MASK 255.255.192.0
69.6.0.0 using MASK 255.255.192.0

This has cut down on the Antigen Incidences DRAMATICALLY and we have not seen the problem reoccur as of yet.

Thank you all for your input and I will let you know if anything changes!
Rich
0
 

Author Comment

by:Richw221
ID: 10959664
Well as it turns out it was the Antigen software on the Exchange server trying to lookup the Inbound SMTP server on the SPAM LIST server, there is not a decent timeout set for the Lookup to fail and thus it would keep the SMTP connections open while trying to resolve the name and match it to the list of spam servers. We disabled the DNS resolution of Antigen and subscribed to their Spamcure feature. Tey are aweare of the problem... Thanks to all!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question