Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 5.5 outbound messages queue overload

Posted on 2004-04-05
17
Medium Priority
?
5,351 Views
Last Modified: 2013-11-15
Hi,

My client is running Exchange 5.5 on NT service pack 6a. I just received complaints that people are unable to send outgoing email - in the network is fine, but ougoing doesn't go. So I looked in the IMS outgoing delivery queue and noticed THOUSANDS of awaiting outgoing messages. However, these messages do not originate from any known internal user. Lots of them have this domain "seed.net.tw" and are going to a host I've never seen before. Lots of jarbled characters and actually some asian looking characters. Something looks fishy here.

This screams "spam" to me, but I don't know what to do to stop these outbound mails. I think this is the reason for the users being unable to send mail outside the network.

Last thursday I opened port 25 on the router as I'm about to make some changes to Exchange and how mail is delivered. Could that have triggered an onslaught of this spam? Has someone hacked/hijacked the exchange server?

I have read about some spam/DoS attack called Bluestell that many others have had problems with. It seems that the symptoms are exactly like mine, but I haven't noticed "bluestell" anywhere. Then again, I have not looked hard. I've been trying to clear the queue, but it seems to choke things up.

Any ideas as to how to remedy this?
0
Comment
Question by:CyberianPrime
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 11

Expert Comment

by:infotrader
ID: 10760182
Are you permitting relaying on your Exchange server?  If so, turn that off... it is a big NO NO!!!  Use your Exchange admin utility to disable relaying.

- Info
0
 

Author Comment

by:CyberianPrime
ID: 10760205
I don't beleive I am. Where would I check for that in Exchange 5.5?

Is it possible that there is someone logging into the server and being authenticated to start relaying spam? Perhaps I should change the admin password?
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10761200
Give us your email domain and server IP and we'll check.  It could be a harvest attack.  That's a spammer trying to gather your addresses by sending tons of email to random addresses.

Here is an article with instructions on securing your relay:

XCON: How to Prevent Mail Relay in Exchange Server 5.5 SP1 or Later
http://support.microsoft.com/default.aspx?scid=kb;en-us;315687

OneHump
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CyberianPrime
ID: 10761373
How can you tell from my domain and IP if it's a harvest attack? Don't you need to see the guts of Exchange and event logs for that?

Domain: JBBBS.ORG
IP: 65.96.109.53

Step 3 in the Microsoft doc you linked says this: Select Reroute incoming SMTP mail, and then add all inbound mail domains. (This setting is required for POP3/IMAP4 support.) Would all inbound mail domains be their domain, JBBBS.ORG?

FYI - I have turned off Port 25 on the router as we currently use Internet Mailbridge to retreive POP3 email from our mail hosting provider - then redistributes to Exchange accounts. I opened port 25 briefly as i stated above and I believe that is the cause of this.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10766931
I can't tell for your domain/IP if it's a harvest attack.  It's just a common problem with similar symptoms.

Since you blocked port 25, I can't connect and therefore cannot relay.  This means your relay is closed for now.  You can use this URL to test on your own when you open that port back up:

http://www.abuse.net/relay.html

In the routing tab, you want to specify routes there for every domain you want to relay for.  For domains that Exchange is the final destination for, you will route "Inbound".  For others, you will specify the appropriate remote MTA.  What you need to be careful of there is the routing restrictions part.  You don't want internal hosts email to remote domains to bounce with "relaying denied".  Be sure to test test test.

I checked your domain in dnsreport.com.  It looks good from an email perspective.
http://www.dnsreport.com/tools/dnsreport.ch?domain=jbbbs.org.


OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10767171
Since Port 25 is closed, I assume the spam/overload in the outbound queue should stop once i manage to clear it?

I will eventually open it back up once we get rid of Internet Mailbridge. However, I am very unfamiliar with relaying and Exchange. Shouldn't relaying be turned off completely? Is it necessary to have relaying activated if I just want it to allow inbound mail for all "jbbbs.org" users? How would I set Exchange to filter out this outgoing spam crud that is clogging the queue up once I open Port 25 again? Please spell it out as I'm a newbie at relaying and the guts of Exchange.

Many thanks.
0
 
LVL 10

Accepted Solution

by:
OneHump earned 1000 total points
ID: 10767642
It will certainly stop if you don't have port 25 open, but it will likely continue when you open it depending on if someone is using your box as an open relay, someone is dictionary harvest attacking, or someone is sending spam/viruses with from addresses spoofed from your domain.

Relaying can be turned off, but not completely.  You still need to relay for your internal domains and you still need to allow internal networks to send to external domains.  What this means is that you need to defind your inbound domains in the routing tab and specify your internal networks that need to relay in the connections Tab.  That article does a pretty good job of explaining it.  If it's not clear enough, here is another article that's pretty good:

Preventing Third Party Relaying In MS Exchange Server 5.5
http://www.msexchange.org/tutorials/Preventing_Third_Party_Relaying_In_MS_Exchange_Server_55.html

Here is another link with a lot of good info about available techniques and tools.

http://www.slipstick.com/exs/relay.htm

You could very well get more "crud" once you open up port 25.  It really depends on what you're doing.  The problem is that Exchange is not a great perimeter Email server.  Most companies deploy solutoins like Sendmail and use other tools like anti-spam or IDS software to deal with people behaving badly.  Doing business on the Internet is not an easy thing.

OneHump
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10767699
Also, enforce a periodic password changing policy with some kind of complexity requirement.  Sometimes the attackers might get a hold of one of your users' ID and password and can therefore start to relay after they "authenticated".

- Info
0
 

Author Comment

by:CyberianPrime
ID: 10768116
Thanks guys. I appreciate the help. I'll have to do some more reading from here once we open up port 25 again. Now I just have to figure out how to clear the oubound queue of it's 10,000 spam messages. :)
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10768202
You could NDR them all from the queue if you want.  You could also set your retry intervals really low so they get dealt with faster and just let Exchange clear them out.

OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10768333
Not sure what you mean by NDR them, but I'm going to try the steps listed in this kb article to clear the queue:

http://support.microsoft.com/?kbid=324059
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10770062
That's a good article, but it won't result in a returned message for legitimate email.  By NDR them, you go into the queue in Exchange Administrator and delete them en masse.  It will ask you if you want to send a non-delivery report.  You say yes.  This will allow legitimate senders to know their email didnt arrive.

If you don't care and just want to be done with this, follow that article; it's good.

OneHump
0
 

Author Comment

by:CyberianPrime
ID: 10770199
I will try that. When I attempted this the other day via pcAnywhere/VPN, something froze or got clogged up. Now the server is down completely. My client's office is in a Jewish Community Center, so it has been and will be closed 'till Thurs AM. So, I'm assuming the server just froze up and puked. I'll have to hard reboot it on Thurs and try visitng that queue again.

Thanks for the help.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10771195
Maybe the server is observing passover.  :)
0
 

Author Comment

by:CyberianPrime
ID: 10771246
LOL. A Jewish server.
0
 

Expert Comment

by:nicley
ID: 11897439
CyberianPrime I seem to be having a very similiar problem and was wondering what you found to be the cause of your problem.

Thanks,
Ryan
0
 

Author Comment

by:CyberianPrime
ID: 11897902
Ryan,

You won't like this explanation. The server actually crashed soon after, so I just scrapped everything and installed W2K. Best move ever.

However, I would read the messages from OneHump carefully - including the links. He had some great ideas which worked until things went to hell.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever run into that annoying problem where the computer won't boot?  Wouldn't it be great if you had a tool that would make that disk boot again?  I have found one tool that works more often than not ...
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question