Solved

Exchange 5.5 outbound messages queue overload

Posted on 2004-04-05
17
5,269 Views
Last Modified: 2013-11-15
Hi,

My client is running Exchange 5.5 on NT service pack 6a. I just received complaints that people are unable to send outgoing email - in the network is fine, but ougoing doesn't go. So I looked in the IMS outgoing delivery queue and noticed THOUSANDS of awaiting outgoing messages. However, these messages do not originate from any known internal user. Lots of them have this domain "seed.net.tw" and are going to a host I've never seen before. Lots of jarbled characters and actually some asian looking characters. Something looks fishy here.

This screams "spam" to me, but I don't know what to do to stop these outbound mails. I think this is the reason for the users being unable to send mail outside the network.

Last thursday I opened port 25 on the router as I'm about to make some changes to Exchange and how mail is delivered. Could that have triggered an onslaught of this spam? Has someone hacked/hijacked the exchange server?

I have read about some spam/DoS attack called Bluestell that many others have had problems with. It seems that the symptoms are exactly like mine, but I haven't noticed "bluestell" anywhere. Then again, I have not looked hard. I've been trying to clear the queue, but it seems to choke things up.

Any ideas as to how to remedy this?
0
Comment
Question by:CyberianPrime
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 11

Expert Comment

by:infotrader
ID: 10760182
Are you permitting relaying on your Exchange server?  If so, turn that off... it is a big NO NO!!!  Use your Exchange admin utility to disable relaying.

- Info
0
 

Author Comment

by:CyberianPrime
ID: 10760205
I don't beleive I am. Where would I check for that in Exchange 5.5?

Is it possible that there is someone logging into the server and being authenticated to start relaying spam? Perhaps I should change the admin password?
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10761200
Give us your email domain and server IP and we'll check.  It could be a harvest attack.  That's a spammer trying to gather your addresses by sending tons of email to random addresses.

Here is an article with instructions on securing your relay:

XCON: How to Prevent Mail Relay in Exchange Server 5.5 SP1 or Later
http://support.microsoft.com/default.aspx?scid=kb;en-us;315687

OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10761373
How can you tell from my domain and IP if it's a harvest attack? Don't you need to see the guts of Exchange and event logs for that?

Domain: JBBBS.ORG
IP: 65.96.109.53

Step 3 in the Microsoft doc you linked says this: Select Reroute incoming SMTP mail, and then add all inbound mail domains. (This setting is required for POP3/IMAP4 support.) Would all inbound mail domains be their domain, JBBBS.ORG?

FYI - I have turned off Port 25 on the router as we currently use Internet Mailbridge to retreive POP3 email from our mail hosting provider - then redistributes to Exchange accounts. I opened port 25 briefly as i stated above and I believe that is the cause of this.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10766931
I can't tell for your domain/IP if it's a harvest attack.  It's just a common problem with similar symptoms.

Since you blocked port 25, I can't connect and therefore cannot relay.  This means your relay is closed for now.  You can use this URL to test on your own when you open that port back up:

http://www.abuse.net/relay.html

In the routing tab, you want to specify routes there for every domain you want to relay for.  For domains that Exchange is the final destination for, you will route "Inbound".  For others, you will specify the appropriate remote MTA.  What you need to be careful of there is the routing restrictions part.  You don't want internal hosts email to remote domains to bounce with "relaying denied".  Be sure to test test test.

I checked your domain in dnsreport.com.  It looks good from an email perspective.
http://www.dnsreport.com/tools/dnsreport.ch?domain=jbbbs.org.


OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10767171
Since Port 25 is closed, I assume the spam/overload in the outbound queue should stop once i manage to clear it?

I will eventually open it back up once we get rid of Internet Mailbridge. However, I am very unfamiliar with relaying and Exchange. Shouldn't relaying be turned off completely? Is it necessary to have relaying activated if I just want it to allow inbound mail for all "jbbbs.org" users? How would I set Exchange to filter out this outgoing spam crud that is clogging the queue up once I open Port 25 again? Please spell it out as I'm a newbie at relaying and the guts of Exchange.

Many thanks.
0
 
LVL 10

Accepted Solution

by:
OneHump earned 250 total points
ID: 10767642
It will certainly stop if you don't have port 25 open, but it will likely continue when you open it depending on if someone is using your box as an open relay, someone is dictionary harvest attacking, or someone is sending spam/viruses with from addresses spoofed from your domain.

Relaying can be turned off, but not completely.  You still need to relay for your internal domains and you still need to allow internal networks to send to external domains.  What this means is that you need to defind your inbound domains in the routing tab and specify your internal networks that need to relay in the connections Tab.  That article does a pretty good job of explaining it.  If it's not clear enough, here is another article that's pretty good:

Preventing Third Party Relaying In MS Exchange Server 5.5
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Exchange_Server_55.html

Here is another link with a lot of good info about available techniques and tools.

http://www.slipstick.com/exs/relay.htm

You could very well get more "crud" once you open up port 25.  It really depends on what you're doing.  The problem is that Exchange is not a great perimeter Email server.  Most companies deploy solutoins like Sendmail and use other tools like anti-spam or IDS software to deal with people behaving badly.  Doing business on the Internet is not an easy thing.

OneHump
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10767699
Also, enforce a periodic password changing policy with some kind of complexity requirement.  Sometimes the attackers might get a hold of one of your users' ID and password and can therefore start to relay after they "authenticated".

- Info
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:CyberianPrime
ID: 10768116
Thanks guys. I appreciate the help. I'll have to do some more reading from here once we open up port 25 again. Now I just have to figure out how to clear the oubound queue of it's 10,000 spam messages. :)
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10768202
You could NDR them all from the queue if you want.  You could also set your retry intervals really low so they get dealt with faster and just let Exchange clear them out.

OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10768333
Not sure what you mean by NDR them, but I'm going to try the steps listed in this kb article to clear the queue:

http://support.microsoft.com/?kbid=324059
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10770062
That's a good article, but it won't result in a returned message for legitimate email.  By NDR them, you go into the queue in Exchange Administrator and delete them en masse.  It will ask you if you want to send a non-delivery report.  You say yes.  This will allow legitimate senders to know their email didnt arrive.

If you don't care and just want to be done with this, follow that article; it's good.

OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10770199
I will try that. When I attempted this the other day via pcAnywhere/VPN, something froze or got clogged up. Now the server is down completely. My client's office is in a Jewish Community Center, so it has been and will be closed 'till Thurs AM. So, I'm assuming the server just froze up and puked. I'll have to hard reboot it on Thurs and try visitng that queue again.

Thanks for the help.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10771195
Maybe the server is observing passover.  :)
0
 

Author Comment

by:CyberianPrime
ID: 10771246
LOL. A Jewish server.
0
 

Expert Comment

by:nicley
ID: 11897439
CyberianPrime I seem to be having a very similiar problem and was wondering what you found to be the cause of your problem.

Thanks,
Ryan
0
 

Author Comment

by:CyberianPrime
ID: 11897902
Ryan,

You won't like this explanation. The server actually crashed soon after, so I just scrapped everything and installed W2K. Best move ever.

However, I would read the messages from OneHump carefully - including the links. He had some great ideas which worked until things went to hell.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Easy CSR creation in Exchange 2007,2010 and 2013
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
Viewers will learn how to use the Hootsuite Dashboard.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now