Link to home
Start Free TrialLog in
Avatar of mcse63
mcse63

asked on

Exchange 2000 running Extremely Slow

Windows2000 Server SP4/had 256 now has 768 ram/DC/Exchange2000 SP3/Mcaffee Groupshield/Virus Scan 7.0
As of 4 days ago, my exchange server has started acting strange and now is taking 5+ hours to send mail and up to 8 to recieve. I have ran a complete scan of the system thinking that perhaps a virus slipped through and that was clear. I then ran stinger this was clean as well. I have verifed all latest patches and upgrades installed. I have added memory thinking perhaps it was getting overloaded. When I can view the que it shows that it is over a Gig. Mail is backing up in a magor way. Any assistance with this would be greatly appreciated. New to this, so if anyone needs more info just let me know.

Thanks

Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

This is saying mail relay.
Either you are an open relay or you are being used for an NDR attack.

If you look at the queues are they all from "postmaster@yourdomain"?

If so then this will confirm it.

Take a look at this article from MSKB on how to clear up the queues. Don't worry about the versions - the techniques are pretty much the same: http://support.microsoft.com/default.aspx?kbid=324958

It could also be an authenticated user attack on SMTP. Do you allow your users to send email through your SMTP server? If so you may want to consider disabling that feature for now.

Simon.
Avatar of mcse63
mcse63

ASKER

I have followed the instructions in the MS Article and ran the relay test and here are the results? I haven't recieved the mail but this is still bad.

To: cowandave%hotmail.com@mail.shop4zero.com
From: spamtest@mail.shop4zero.com
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest@mail.shop4zero.com....Sender OK
>>>> RCPT TO:
<<< 250 2.1.5 cowandave%hotmail.com@mail.shop4zero.com
>>>> DATA
<<< 354 Start mail input; end with .
>>>> MESSAGE
<<< 250 2.6.0 Queued mail for delivery
SUCCESS

I see no other settings to check. Any other ideas.
Put your domain in to dnsreport.com and see what it comes back with.

Have you made any changes to the configuration of the machine? Exchange 2000 is relay secure "out of the box" but you can change settings to turn it in to a relay.

Simon.
Avatar of mcse63

ASKER

Came back with I don't have an spf record and a few dns issues. I have worked those out, Is a smtp connector necessary to send and recieve mail. Let me explain a bit more. I have a external dc that forwards all mail to the exchange server behind the firewall and the the exchange uses the edc as the smart host. I have configured the firewall to accept mail to my exchange box directly. So do I need the smart host and the connector?
I think you may have an extreamly large message that cannot be sent, due to message size restrictions at both ends (sender and recipient)

I've seen the same senario before, what happened was we had no outbound limits set, but we did have inbound limits set.  someone tryed to send a 400MB attachment and the recipeints mailserver rejected it with a copy of the message attached to the NDR, our system then rejected it as well and back and forth it went...  

the message must be huge due to the amount of time it takes to send the message, in your case 5 hours or so.  This is what you need to do to check for that.  

1. first stop SMTP services
2. open your exchange server queue folder (default location is c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue)
3. is there mail in that folder?  if there is then change the view to details and sort it by size.  Find out if there is a large message in there and delete or move it.  if not proceed to next step...
4. open the ESM (Exchange System Manager) and drill down to your queues (server/protocols/SMTP/default) for that server and you can also view those queues and sort by message size.
5. If you find a mail queue that is huge, enumerate the messagea and double click the queue to see what messages are waiting in the queue.  If you find a big one in there that you feel is the culprit, you can delete it right from there with "NO NDR!".
6. start your SMTP service back up of course.. ;)

Hope this helps ya, cheers. :)
Avatar of mcse63

ASKER

I appreciate the input jsk-ck, I thought something like that as well and checked that yesterday. I didn't mention that in my first description as I am just getting the hang of this posting stuff. Thanks again.
No prob, you might want to check your mail gateway (smarthost) for the same thing as I mentioned if you haven't done so already.

Good luck
SMTP Connector is not required for receiving email. Sometimes you need one for sending email. An SMTP connector usually directs email to another place - one that is different to what Exchange can find itself - for example you need to send email through the ISPs server (smart host).

If you are not sending email directly - and wish to send it through another machine - a relay - then you will need an SMTP connector, change it to smart host mode and enter the IP address or dns name of the relay machine.

Simon.
Avatar of mcse63

ASKER

Simon,

You have been a great help and are in the lead for the points, I have finally been able to open the que and it is all postmaster@mydomain.com. Is there a way to prevent Reverse NDR attacks which is what I think this is.

Thanks,
Reverse NDRs ... those are what got me banned from AOL.  :)  

In Exchange 2000...

System Manager -> Global Settings -> Internet Message Formats...

Right click on your Default and choose Properties. In the Advanced tab there is a check box 'Allow non-delivery reports'. By unchecking this you basically turn off NDRs for incoming emails... Now there is a caveat to this. If anyone sends a legit email to your company using a wrong email address, your server will not respond back saying the user does not exist.

Nevertheless, look to getting an email filter that blocks non-existent users on your domain by doing directory lookups (such as ORF).  Sembee should get the points, not me...
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mcse63

ASKER

I just wantedt to say thanks for all the help. By accepting your answer Simon that meant that you recieved the points right? If not let me know what I need to do and I will make sure that you get them. I am going to look into some decent spam blocking apps. 26-50 users. Any thoughts?

Thanks again
Straight spam I would look at "I Hate Spam". I have that running on a number of clients with Exchange 2003.
However in this case I think the first product you should look at is Mail Essentials from GFI. http://www.gfi.com/ 

I have the points - thank you.

Simon.
Good answer, well done!

I use NetIQ's MailMarshal SMTP in front of my mailservers.  It works very well, is extreamly configurable and automatically updated.  The price wasn't too bad either I thought.  It runs on a Windows Server, and uses very little resources for what it does...  it really is a complete smtp gateway that scans for not only spam but content and of course Viruses as well.

http://www.netiq.com/products/mma/default.asp

Cheers

/Steve
I have GFI running on my mailserevr now.  Price is nice BUT the latest release (v10) still does not have the email directory lookup check that you (and I) are having problems with - basically SPAM is one thing but being emailed random names@mydomain.com can even be more annoying.  ORF is a product that I have never used but the specs look great.  It seems to do all the major stuff that GFI does PLUS the email directory checking to prevent DHA and the Dictionary attacks.

http://www.vamsoft.com/orf/orfee_prodspec.asp

Priced at $99 per server (no user license fees - amazing...) this is pennies to even use.  I am seriously considering just buying this product just to block unknown user emails.
Avatar of mcse63

ASKER

Thanks for the input LimeSMJ

I have downloaded both and will install them today and let you know how it goes.
I have ndr in exg 2k turned off but if I put in an address to send them to they still are created and sent?  
 Do they end up in the badmail folder if no notification was sent?   We are involved in cealning up A reverse NDR attack.  Is there a product that deals with this effectively.  
BrownLumber - This is a closed question. As such the experts will not see your question.
You should post a new question in the main Exchange topic area, the other experts will then pick up the question and answer.

Simon.