Extra queues have appeared in exchange 2000
Hi
I am running exchange 2000 sp3. I have one Default SMTP virtual server and under the queues section I have the normal four queues i.e the domain, pre submission, awaiting dir lookup, awaiting routing. The problem is that there are now another 20 or 30 extra (Remote Delivery) queues for strange domain names like ilovenature.org and eisenhower.org etc etc.
I have been able to freeze these queues but not delete them.
Please can anyone help. I need to get rid of these and to stop them coming back. I can not find out whether this is a virus or if I have been hacked.
Regards David
I am running exchange 2000 sp3. I have one Default SMTP virtual server and under the queues section I have the normal four queues i.e the domain, pre submission, awaiting dir lookup, awaiting routing. The problem is that there are now another 20 or 30 extra (Remote Delivery) queues for strange domain names like ilovenature.org and eisenhower.org etc etc.
I have been able to freeze these queues but not delete them.
Please can anyone help. I need to get rid of these and to stop them coming back. I can not find out whether this is a virus or if I have been hacked.
Regards David
I have a very similar setup as you David, and have a bunch of these too, but I am also running GFI utlities with a blacklist, and I just thought that these are bounced messages being sent out from my default domain accounts, back to the spamming host. How can we tell for sure? When I enumerate the queues half of them don't have anything, the other half do. They are being sent to weird addresses (most seem to be over seas) from my "administrator" account on my local domain (not my public domain which is our 'normal' email address). I have checked my relay settings under ESM>smtp>virtual server>properties and it is set to 'only forward the list below', with nothing listed there (blank).
I don't want to hijack the thread, but since it was mentioned and I have concern now, I'd contribute 125 points to the answer, as well, to figure this out. If that's not appropriate, I can start another thread, too.
aquilius
I don't want to hijack the thread, but since it was mentioned and I have concern now, I'd contribute 125 points to the answer, as well, to figure this out. If that's not appropriate, I can start another thread, too.
aquilius
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Already have it logging. I see there are ip addresses listed as connecting....is there a way to determine if this is spam or normal log events? Below is a sample of two of my daily log files....what should I be looking for?
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11516 0 4 0 0 EHLO exchange.<mydomain>.com
65.207.133.234 OutboundConnectionResponse
212.68.1.186 OutboundConnectionResponse
212.68.1.186 OutboundConnectionCommand 11/21/2003 17:30:21 5500 0 4 0 0 RSET -
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11719 0 4 0 0 MAIL FROM:<>
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11781 0 4 0 0 RCPT TO:<carissa@exclusive-offe
212.68.1.186 OutboundConnectionResponse
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11844 0 4 0 0 DATA -
212.68.1.186 OutboundConnectionCommand 11/21/2003 17:30:21 5672 0 4 0 0 QUIT -
65.207.133.234 OutboundConnectionResponse
212.68.1.186 OutboundConnectionResponse
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:22 0 21 51 250 0 HELO #NAME?
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:22 0 42 54 250 0 MAIL +FROM:+<ytaylor_jv@medmicr
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 47 0 4 0 0 EHLO exchange.<mydomain>.com
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 78 0 4 0 0 MAIL FROM:<>
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 109 0 4 0 0 RCPT TO:<bounce-mfiifiuqfwskn@z
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 141 0 4 0 0 DATA -
69.56.9.39 OutboundConnectionResponse
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:24 0 35 37 250 0 RCPT +TO:+<<user>@<my-domain>.c
69.56.9.44 OutboundConnectionResponse
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 21, 47, 250, 0, HELO, -, +m0.tekmailer.com,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 84, 97, 250, 0, MAIL, -, +From:<b.DirectWebMedia.f-
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 32, 35, 250, 0, RCPT, -, +To:<jlatzke@<mydomain>.co
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 375, 11856, 124, 250, 0, DATA, -, +<200312010425.XAA95792@m0
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:42, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 3890, QUIT, -, m0.tekmailer.com,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
69.6.16.120, 20.bluerocketonline.com, 12/1/2003, 0:03:10, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 112062, QUIT, -,
I've changed some things to hide my relavent info.
Thanks!
aquilius
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11516 0 4 0 0 EHLO exchange.<mydomain>.com
65.207.133.234 OutboundConnectionResponse
212.68.1.186 OutboundConnectionResponse
212.68.1.186 OutboundConnectionCommand 11/21/2003 17:30:21 5500 0 4 0 0 RSET -
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11719 0 4 0 0 MAIL FROM:<>
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11781 0 4 0 0 RCPT TO:<carissa@exclusive-offe
212.68.1.186 OutboundConnectionResponse
65.207.133.234 OutboundConnectionResponse
65.207.133.234 OutboundConnectionCommand 11/21/2003 17:30:21 11844 0 4 0 0 DATA -
212.68.1.186 OutboundConnectionCommand 11/21/2003 17:30:21 5672 0 4 0 0 QUIT -
65.207.133.234 OutboundConnectionResponse
212.68.1.186 OutboundConnectionResponse
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:22 0 21 51 250 0 HELO #NAME?
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:22 0 42 54 250 0 MAIL +FROM:+<ytaylor_jv@medmicr
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 47 0 4 0 0 EHLO exchange.<mydomain>.com
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 78 0 4 0 0 MAIL FROM:<>
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 109 0 4 0 0 RCPT TO:<bounce-mfiifiuqfwskn@z
69.56.9.39 OutboundConnectionResponse
69.56.9.39 OutboundConnectionCommand 11/21/2003 17:30:24 141 0 4 0 0 DATA -
69.56.9.39 OutboundConnectionResponse
66.176.65.124 mgmt.ucalgary.ca 11/21/2003 17:30:24 0 35 37 250 0 RCPT +TO:+<<user>@<my-domain>.c
69.56.9.44 OutboundConnectionResponse
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 21, 47, 250, 0, HELO, -, +m0.tekmailer.com,
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 84, 97, 250, 0, MAIL, -, +From:<b.DirectWebMedia.f-
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 32, 35, 250, 0, RCPT, -, +To:<jlatzke@<mydomain>.co
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:38, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 375, 11856, 124, 250, 0, DATA, -, +<200312010425.XAA95792@m0
69.6.7.18, m0.tekmailer.com, 12/1/2003, 0:02:42, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 3890, QUIT, -, m0.tekmailer.com,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
205.158.62.41, OutboundConnectionCommand,
205.158.62.41, OutboundConnectionResponse
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
195.113.0.2, OutboundConnectionCommand,
195.113.0.2, OutboundConnectionResponse
69.6.16.120, 20.bluerocketonline.com, 12/1/2003, 0:03:10, SMTPSVC1, EXCHANGE, <myexchangeIPaddress>, 0, 4, 72, 240, 112062, QUIT, -,
I've changed some things to hide my relavent info.
Thanks!
aquilius
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Interesting. Before I started with my present company, my old boss told me that he had to remove our name from the blacklists because when he was hired he found out we were being used as a relay and had to stop it. Must still be being attempted. Do you know that the connections are being dropped because no "354+go+ahead" response is given by my exchange server on some of these?
Thanks again for the help! David, I hope some of my questions helped answer some of your own. Glad you asked your question!
ydirie: do you just recommend using your isp's DNS addresses then as the pointer for your external DNS servers under the VS config? My old one was pointing to UUnet, so now I'm thinking of pointing it towards my ISP's DNS servers as an alternate....or maybe even my own DMZ DNS servers.
aquilius
I'll get a hold of an admin and ask that Kidego get 75 points of mine and ydirie get 50, since I found both of your answers to be valuable. Thanks all!
Thanks again for the help! David, I hope some of my questions helped answer some of your own. Glad you asked your question!
ydirie: do you just recommend using your isp's DNS addresses then as the pointer for your external DNS servers under the VS config? My old one was pointing to UUnet, so now I'm thinking of pointing it towards my ISP's DNS servers as an alternate....or maybe even my own DMZ DNS servers.
aquilius
I'll get a hold of an admin and ask that Kidego get 75 points of mine and ydirie get 50, since I found both of your answers to be valuable. Thanks all!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Computer 101,
I think you want to address that to me. If you notice I didn't start this thread, but since it was of such value to me, and since I asked a lot of questions inside of it, I wanted to offer some of my points as well to what David (Somtech) has offered when he opened the question. Maybe that's not possible, but I figured it should be doable....if not, please let me know what I can do to make it happen.
I would like to see Kidego get 75 points from what I have left, and ydirie get 50 points. If necessary, I will open my own question and do it that way.
Again, I'm not trying to hijack this question and trump David, I just noticed that Somtech's question mirrored my own circumstance, so I thought I would help boost the value of the question, by offering up some of my own points into the mix.
Does that make sense?
aquilius
I think you want to address that to me. If you notice I didn't start this thread, but since it was of such value to me, and since I asked a lot of questions inside of it, I wanted to offer some of my points as well to what David (Somtech) has offered when he opened the question. Maybe that's not possible, but I figured it should be doable....if not, please let me know what I can do to make it happen.
I would like to see Kidego get 75 points from what I have left, and ydirie get 50 points. If necessary, I will open my own question and do it that way.
Again, I'm not trying to hijack this question and trump David, I just noticed that Somtech's question mirrored my own circumstance, so I thought I would help boost the value of the question, by offering up some of my own points into the mix.
Does that make sense?
aquilius
ASKER
Hi Guys
As I am in the UK I have been asleep while you have been posting your comments. They are all very relevant. I now have two customers with the same problem this morning so I am heading off to site armed with this information. I will post my quieries later when I get to site.
I am sure that we can sort the points situation out once we have solved the problem.
Regards
David
As I am in the UK I have been asleep while you have been posting your comments. They are all very relevant. I now have two customers with the same problem this morning so I am heading off to site armed with this information. I will post my quieries later when I get to site.
I am sure that we can sort the points situation out once we have solved the problem.
Regards
David
ASKER
Hi All
I have been to site today to look at this mail server problem.
Firstly I checked to see if it was an open relay. I checked the SMTP VS properties and the authentication has ticks in Anonymous access, Basic authentication and Integrated WIndows authentication. The Relay Restrictions has Only the list below selected and nothing in the list and a tick in allow computers which successfully authenticate to relay.
I did a telnet test and was unable to relay.
This suggests to me that someone either authenticated to spam from my server or hacked it ?
I checked that the guest account etc were disabled and they were.
Unfortunately I did not have logging turned on on the VS which I now have.
Below are detail of the proerties of one of the emails in the queue
They were from aked4_un@123.com with 13 evelope recipients which were all SMTP addresses.
I enumerated each of these strange queues and deleted the messages.
I then enumerated the Destinstion unreachable queue that had some 5000 emails in it and deleted those.
I recieve technet and on the disk for June was an exchange post service pack 3 rollup which was already installed on the server however after searching technet online there is a newer version of the same name which I have installed
http://www.microsoft.com/downloads/details.aspx?FamilyID=e7aaa113-1403-4262-8269-4b2ab9ae5476&DisplayLang=en
I rebooted the server and the queues are gone and the server is running fine.
My next problem is how do I find out how this happened and put a stop to it ???
The customer has a fortigate 60R firewall that had a rule which was set to allow any external address access to port 25, I have now edited this so only the ip address range of the ISP's SMTP servers have access to port 25.
I hope this will now solve the problem for good. If any of you can give me advice on how to find out what happened i.e what logs I should look at etc I would be very gratefull.
Thanks for all your help so far
Regards
Dave
I have been to site today to look at this mail server problem.
Firstly I checked to see if it was an open relay. I checked the SMTP VS properties and the authentication has ticks in Anonymous access, Basic authentication and Integrated WIndows authentication. The Relay Restrictions has Only the list below selected and nothing in the list and a tick in allow computers which successfully authenticate to relay.
I did a telnet test and was unable to relay.
This suggests to me that someone either authenticated to spam from my server or hacked it ?
I checked that the guest account etc were disabled and they were.
Unfortunately I did not have logging turned on on the VS which I now have.
Below are detail of the proerties of one of the emails in the queue
They were from aked4_un@123.com with 13 evelope recipients which were all SMTP addresses.
I enumerated each of these strange queues and deleted the messages.
I then enumerated the Destinstion unreachable queue that had some 5000 emails in it and deleted those.
I recieve technet and on the disk for June was an exchange post service pack 3 rollup which was already installed on the server however after searching technet online there is a newer version of the same name which I have installed
http://www.microsoft.com/downloads/details.aspx?FamilyID=e7aaa113-1403-4262-8269-4b2ab9ae5476&DisplayLang=en
I rebooted the server and the queues are gone and the server is running fine.
My next problem is how do I find out how this happened and put a stop to it ???
The customer has a fortigate 60R firewall that had a rule which was set to allow any external address access to port 25, I have now edited this so only the ip address range of the ISP's SMTP servers have access to port 25.
I hope this will now solve the problem for good. If any of you can give me advice on how to find out what happened i.e what logs I should look at etc I would be very gratefull.
Thanks for all your help so far
Regards
Dave
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Kidego
If this happens again I am still struggling to understand what the logs are telling me, would it be possible to mail them to you direct for your comments. I dont want to post them as they contain all of my customers info. If this is possible please let me know at dw@somtech.co.uk.
Thanks again for all you help guys.
Dave
If this happens again I am still struggling to understand what the logs are telling me, would it be possible to mail them to you direct for your comments. I dont want to post them as they contain all of my customers info. If this is possible please let me know at dw@somtech.co.uk.
Thanks again for all you help guys.
Dave
ASKER
Hi guys
Sorry forgot I am off to do the second one today another customer the same problem. I will post here if there are any differences if not I will close this call if aquilius is now sorted as well.
Dave
Sorry forgot I am off to do the second one today another customer the same problem. I will post here if there are any differences if not I will close this call if aquilius is now sorted as well.
Dave
I'm all set per this question, answer wise, but I'm not sure what I need to have you agree to, to allow c101 to award the points I offered up as well to kidego and ydirie.
Good question. Very glad you asked it.
aquilius
Good question. Very glad you asked it.
aquilius
d