Extra queues have appeared in exchange 2000

Hi

I am running exchange 2000 sp3. I have one Default SMTP virtual server and under the queues section I have the normal four queues i.e the domain, pre submission, awaiting dir lookup, awaiting routing.  The problem is that there are now another 20 or 30 extra (Remote Delivery) queues for strange domain names like ilovenature.org and eisenhower.org etc etc.

I have been able to freeze these queues but not delete them.

Please can anyone help.  I need to get rid of these and to stop them coming back.  I can not find out whether this is a virus or if I have been hacked.

Regards David
SomtechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David WilhoitSenior Consultant, ExchangeCommented:
Have you changed anything that would allow relay?  these could be NDRs that cannot be delivered too, so enumerate each queue, and then view the individual emails, see where they are destined to. Post one here, if you're not sure of what you're seeing.

d
aquiliusCommented:
I have a very similar setup as you David, and have a bunch of these too, but I am also running GFI utlities with a blacklist, and I just thought that these are bounced messages being sent out from my default domain accounts, back to the spamming host.  How can we tell for sure?  When I enumerate the queues half of them don't have anything, the other half do.  They are being sent to weird addresses (most seem to be over seas) from my "administrator" account on my local domain (not my public domain which is our 'normal' email address).  I have checked my relay settings under ESM>smtp>virtual server>properties and it is set to 'only forward the list below', with nothing listed there (blank).

 I don't want to hijack the thread, but since it was mentioned and I have concern now, I'd contribute 125 points to the answer, as well, to figure this out.  If that's not appropriate, I can start another thread, too.

aquilius
David WilhoitSenior Consultant, ExchangeCommented:
Could be invalid accounts with your domain name attached, causing the NDR, but most likely they're just NDRs. you can turn on the SMTP logging on the VS, and then see what IP addresses are connecting and who they are trying to send emails to, at that point.

D
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

ydirieCommented:
As Kidego stated, these could be NDRs that were sent to bad account in your domain, but your server is trying to send bounced back emails except these domains don't exsist. Also, this could happen if you recently changed your external DNS in your virtual smtp and that dns server happens to be cached dns. Never use UUnet DNS servers as your primary dns servers as I have experienced with very bad latency!
aquiliusCommented:
Already have it logging.  I see there are ip addresses listed as connecting....is there a way to determine if this is spam or normal log events?   Below is a sample of two of my daily log files....what should I be looking for?

65.207.133.234  OutboundConnectionResponse  11/21/2003 17:30:21  11516  0  67  0  0  -  220+bounces.opt-in-promotions.net+-NO+UNSOLICITED+BULK+EMAIL-+ESMTP
65.207.133.234  OutboundConnectionCommand  11/21/2003  17:30:21  11516  0  4  0  0  EHLO  exchange.<mydomain>.com
65.207.133.234  OutboundConnectionResponse  11/21/2003  17:30:21  11578  0  61  0  0  -  250-bounces.opt-in-promotions.net+-NO+UNSOLICITED+BULK+EMAIL-
212.68.1.186  OutboundConnectionResponse  11/21/2003  17:30:21  5500  0  65  0  0  -  550+<m.doherty_xw@hiit.fi>:+User+unknown+in+local+recipient+table
212.68.1.186  OutboundConnectionCommand  11/21/2003  17:30:21  5500  0  4  0  0  RSET  -
65.207.133.234  OutboundConnectionCommand  11/21/2003  17:30:21  11719  0  4  0  0  MAIL  FROM:<>
65.207.133.234  OutboundConnectionResponse  11/21/2003  17:30:21  11781  0  6  0  0  -  250+ok
65.207.133.234  OutboundConnectionCommand  11/21/2003  17:30:21  11781  0  4  0  0  RCPT  TO:<carissa@exclusive-offers.com>
212.68.1.186  OutboundConnectionResponse  11/21/2003  17:30:21  5640  0  6  0  0  -  250+Ok
65.207.133.234  OutboundConnectionResponse  11/21/2003  17:30:21  11844  0  6  0  0  -  250+ok
65.207.133.234  OutboundConnectionCommand  11/21/2003  17:30:21  11844  0  4  0  0  DATA  -
212.68.1.186  OutboundConnectionCommand  11/21/2003  17:30:21  5672  0  4  0  0  QUIT  -
65.207.133.234  OutboundConnectionResponse  11/21/2003  17:30:21  11906  0  12  0  0  -  354+go+ahead
212.68.1.186  OutboundConnectionResponse  11/21/2003  17:30:21  5797  0  7  0  0  -  221+Bye
66.176.65.124  mgmt.ucalgary.ca  11/21/2003  17:30:22  0  21  51  250  0  HELO  #NAME?
66.176.65.124  mgmt.ucalgary.ca  11/21/2003  17:30:22  0  42  54  250  0  MAIL  +FROM:+<ytaylor_jv@medmicro.uct.ac.za>
69.56.9.39  OutboundConnectionResponse  11/21/2003  17:30:24  47  0  36  0  0  -  220+mail2.lessthanyouthink.com+ESMTP
69.56.9.39  OutboundConnectionCommand  11/21/2003  17:30:24  47  0  4  0  0  EHLO  exchange.<mydomain>.com
69.56.9.39  OutboundConnectionResponse  11/21/2003  17:30:24  78  0  30  0  0  -  250-mail2.lessthanyouthink.com
69.56.9.39  OutboundConnectionCommand  11/21/2003  17:30:24  78  0  4  0  0  MAIL  FROM:<>
69.56.9.39  OutboundConnectionResponse  11/21/2003  17:30:24  109  0  6  0  0  -  250+ok
69.56.9.39  OutboundConnectionCommand  11/21/2003  17:30:24  109  0  4  0  0  RCPT  TO:<bounce-mfiifiuqfwskn@zswwswtps.dealofalifetime.net>
69.56.9.39  OutboundConnectionResponse  11/21/2003  17:30:24  141  0  6  0  0  -  250+ok
69.56.9.39  OutboundConnectionCommand  11/21/2003  17:30:24  141  0  4  0  0  DATA  -
69.56.9.39  OutboundConnectionResponse  11/21/2003  17:30:24  172  0  12  0  0  -  354+go+ahead
66.176.65.124  mgmt.ucalgary.ca  11/21/2003  17:30:24  0  35  37  250  0  RCPT  +TO:+<<user>@<my-domain>.com>
69.56.9.44  OutboundConnectionResponse  11/21/2003  17:30:25  31  0  36  0  0  -  220+mail3.lessthanyouthink.com+ESMTP

205.158.62.41, OutboundConnectionResponse, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, -, 87797, 0, 25, 0, 0, -, -, 250-spf7.us4.outblaze.com,
205.158.62.41, OutboundConnectionCommand, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, -, 87797, 0, 4, 0, 0, MAIL, -, FROM:<>+SIZE=4026,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 21, 47, 250, 0, HELO, -, +m0.tekmailer.com,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 84, 97, 250, 0, MAIL, -, +From:<b.DirectWebMedia.f-284b6d0-3a07.<mydomain>.com.-jlatzke@m0.tekmailer.com>,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 32, 35, 250, 0, RCPT, -, +To:<jlatzke@<mydomain>.com>,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 375, 11856, 124, 250, 0, DATA, -, +<200312010425.XAA95792@m0.tekmailer.com>,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:42, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 3890, QUIT, -, m0.tekmailer.com,
205.158.62.41, OutboundConnectionResponse, 12/1/2003, 0:02:48, SMTPSVC1, EXCHANGE, -, 97906, 0, 6, 0, 0, -, -, 250+Ok,
205.158.62.41, OutboundConnectionCommand, 12/1/2003, 0:02:48, SMTPSVC1, EXCHANGE, -, 97906, 0, 4, 0, 0, RCPT, -, TO:<kvossko@email.com>,
205.158.62.41, OutboundConnectionResponse, 12/1/2003, 0:02:49, SMTPSVC1, EXCHANGE, -, 99015, 0, 37, 0, 0, -, -, 550+<kvossko@email.com>:+User+unknown,
205.158.62.41, OutboundConnectionCommand, 12/1/2003, 0:02:49, SMTPSVC1, EXCHANGE, -, 99015, 0, 4, 0, 0, RSET, -, -,
205.158.62.41, OutboundConnectionResponse, 12/1/2003, 0:02:49, SMTPSVC1, EXCHANGE, -, 99094, 0, 6, 0, 0, -, -, 250+Ok,
205.158.62.41, OutboundConnectionCommand, 12/1/2003, 0:02:49, SMTPSVC1, EXCHANGE, -, 99109, 0, 4, 0, 0, QUIT, -, -,
205.158.62.41, OutboundConnectionResponse, 12/1/2003, 0:02:49, SMTPSVC1, EXCHANGE, -, 99187, 0, 7, 0, 0, -, -, 221+Bye,
195.113.0.2, OutboundConnectionResponse, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16391, 0, 28, 0, 0, -, -, 220+golias.ruk.cuni.cz+ESMTP,
195.113.0.2, OutboundConnectionCommand, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16391, 0, 4, 0, 0, EHLO, -, exchange.<mydomain>.com,
195.113.0.2, OutboundConnectionResponse, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16531, 0, 22, 0, 0, -, -, 250-golias.ruk.cuni.cz,
195.113.0.2, OutboundConnectionCommand, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16531, 0, 4, 0, 0, MAIL, -, FROM:<>,
195.113.0.2, OutboundConnectionResponse, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16672, 0, 6, 0, 0, -, -, 250+ok,
195.113.0.2, OutboundConnectionCommand, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16672, 0, 4, 0, 0, RCPT, -, TO:<tonidickeyus@cuni.cz>,
195.113.0.2, OutboundConnectionResponse, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16812, 0, 6, 0, 0, -, -, 250+ok,
195.113.0.2, OutboundConnectionCommand, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16812, 0, 4, 0, 0, DATA, -, -,
195.113.0.2, OutboundConnectionResponse, 12/1/2003, 0:03:08, SMTPSVC1, EXCHANGE, -, 16953, 0, 12, 0, 0, -, -, 354+go+ahead,
69.6.16.120, 20.bluerocketonline.com, 12/1/2003, 0:03:10, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 112062, QUIT, -,

I've changed some things to hide my relavent info.

Thanks!

aquilius

David WilhoitSenior Consultant, ExchangeCommented:
It looks like its dropping the connections, because these folks are trying to relay off you. I've noticed that the addresses are from Czech, finland, and South Africa. you might ought to try blocking countries, if you're company is pretty much only getting email in the US, it helps on the blocking of spam.

69.6.16.120

If you look this up at Spamhaus, these guys own a huge range of IP addresses that spam the globe :)

d
aquiliusCommented:
Interesting.  Before I started with my present company, my old boss told me that he had to remove our name from the blacklists because when he was hired he found out we were being used as a relay and had to stop it.  Must still be being attempted.  Do you know that the connections are being dropped because no "354+go+ahead"  response is given by my exchange server on some of these?  

Thanks again for the help!  David, I hope some of my questions helped answer some of your own.  Glad you asked your question!

ydirie: do you just recommend using your isp's DNS addresses then as the pointer for your external DNS servers under the VS config?  My old one was pointing to UUnet, so now I'm thinking of pointing it towards my ISP's DNS servers as an alternate....or maybe even my own DMZ DNS servers.

aquilius

I'll get a hold of an admin and ask that Kidego get 75 points of mine and ydirie get 50, since I found both of your answers to be valuable.  Thanks all!  
ydirieCommented:
Just make sure whoever you decide to use, don't drop any questions. I am hoping your isp is not UUnet :)-

you can test the name server you decide to use by nslookup

start>run>cmd ENTER
nslookup ENTER
type server then the ip address of the name server you want to test i.e server 192.168.1.1 ENTER
set q=mx ENTER
hotmail.com ENTER to see what happens
type your domain name to see what happens
David WilhoitSenior Consultant, ExchangeCommented:
As a side note, I really like this little tool for DNS:

http://www.newsbin.com/dnscape/index.htm

D
aquiliusCommented:
Computer 101,

I think you want to address that to me.  If you notice I didn't start this thread, but since it was of such value to me, and since I asked a lot of questions inside of it, I wanted to offer some of my points as well to what David (Somtech) has offered when he opened the question.  Maybe that's not possible, but I figured it should be doable....if not, please let me know what I can do to make it happen.

I would like to see Kidego get 75 points from what I have left, and ydirie get 50 points.  If necessary, I will open my own question and do it that way.

Again, I'm not trying to hijack this question and trump David, I just noticed that Somtech's question mirrored my own circumstance, so I thought I would help boost the value of the question, by offering up some of my own points into the mix.

Does that make sense?

aquilius

SomtechAuthor Commented:
Hi Guys

As I am in the UK I have been asleep while you have been posting your comments.  They are all very relevant.  I now have two customers with the same problem this morning so I am heading off to site armed with this information.  I will post my quieries later when I get to site.

I am sure that we can sort the points situation out once we have solved the problem.

Regards
David
SomtechAuthor Commented:
Hi All

I have been to site today to look at this mail server problem.

Firstly I checked to see if it was an open relay.  I checked the SMTP VS properties and the authentication has ticks in Anonymous access, Basic authentication and Integrated WIndows authentication. The Relay Restrictions has Only the list below selected and nothing in the list and a tick in allow computers which successfully authenticate to relay.

I did a telnet test and was unable to relay.

This suggests to me that someone either authenticated to spam from my server or hacked it ?

I checked that the guest account etc were disabled and they were.

Unfortunately I did not have logging turned on on the VS which I now have.

Below are detail of the proerties of one of the emails in the queue
They were from aked4_un@123.com with 13 evelope recipients which were all SMTP addresses.

I enumerated each of these strange queues and deleted the messages.

I then enumerated the Destinstion unreachable queue that had some 5000 emails in it and deleted those.

I recieve technet and on the disk for June was an exchange post service pack 3 rollup which was already installed on the server however after searching technet online there is a newer version of the same name which I have installed

http://www.microsoft.com/downloads/details.aspx?FamilyID=e7aaa113-1403-4262-8269-4b2ab9ae5476&DisplayLang=en

I rebooted the server and the queues are gone and the server is running fine.

My next problem is how do I find out how this happened and put a stop to it ???

The customer has a fortigate 60R firewall that had a rule which was set to allow any external address access to port 25, I have now edited this so only the ip address range of the ISP's SMTP servers have access to port 25.

I hope this will now solve the problem for good.  If any of you can give me advice on how to find out what happened i.e what logs I should look at etc I would be very gratefull.

Thanks for all your help so far
Regards

Dave
ydirieCommented:
Give yourself kudos!

1.you've verified your server was never open for relay.
2.Even if the firewall is completely open, application layer ( exchange server) is closed for relay.
3. All emails were gone from the queue because you deleted it. However, if anyone sends an email to someone that does not have an email account, the server will try to send an NDR to the sender. Problem is the sender's reply email address is bogues and email get stuck on the queue for something like retry ( remote delivery. One thing you can do to help is uncheck allow NDR under global settings, internet format, double click the default domain, advanced and that is where you can uncheck.
4. Where can you check to investigate. I would say don't even waste time as some of those emails tend to come back.

I think Kidego may have more thing to add!

David WilhoitSenior Consultant, ExchangeCommented:
People will always try to bounce mail off your server, you just have to keep it locked down. I used to see issues like this from time to time , they went away after a time, when they figured that they couldn't relay. You also have to know that spammers send messages to non-existent addresses on you domain, verify your domain and IP address, generating the NDRs (like Ydirie said, you can turn them off, but it's not exactly RFC compliant. However, when under attack, it's a valid maneuver).

You're on the mark Dave, congrats!

D

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SomtechAuthor Commented:
Kidego

If this happens again I am still struggling to understand what the logs are telling me, would it be possible to mail them to you direct for your comments.  I dont want to post them as they contain all of my customers info.  If this is possible please let me know at dw@somtech.co.uk.

Thanks again for all you help guys.

Dave
SomtechAuthor Commented:
Hi guys

Sorry forgot I am off to do the second one today another customer the same problem.  I will post here if there are any differences if not I will close this call if aquilius is now sorted as well.

Dave
aquiliusCommented:
I'm all set per this question, answer wise, but I'm not sure what I need to have you agree to, to allow c101 to award the points I offered up as well to kidego and ydirie.

Good question.  Very glad you asked it.

aquilius
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.