Solved

Exchange 2000 running Extremely Slow

Posted on 2004-08-23
18
508 Views
Last Modified: 2008-02-01
Windows2000 Server SP4/had 256 now has 768 ram/DC/Exchange2000 SP3/Mcaffee Groupshield/Virus Scan 7.0
As of 4 days ago, my exchange server has started acting strange and now is taking 5+ hours to send mail and up to 8 to recieve. I have ran a complete scan of the system thinking that perhaps a virus slipped through and that was clear. I then ran stinger this was clean as well. I have verifed all latest patches and upgrades installed. I have added memory thinking perhaps it was getting overloaded. When I can view the que it shows that it is over a Gig. Mail is backing up in a magor way. Any assistance with this would be greatly appreciated. New to this, so if anyone needs more info just let me know.

Thanks

0
Comment
Question by:mcse63
  • 6
  • 6
  • 3
  • +2
18 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
This is saying mail relay.
Either you are an open relay or you are being used for an NDR attack.

If you look at the queues are they all from "postmaster@yourdomain"?

If so then this will confirm it.

Take a look at this article from MSKB on how to clear up the queues. Don't worry about the versions - the techniques are pretty much the same: http://support.microsoft.com/default.aspx?kbid=324958

It could also be an authenticated user attack on SMTP. Do you allow your users to send email through your SMTP server? If so you may want to consider disabling that feature for now.

Simon.
0
 

Author Comment

by:mcse63
Comment Utility
I have followed the instructions in the MS Article and ran the relay test and here are the results? I haven't recieved the mail but this is still bad.

To: cowandave%hotmail.com@mail.shop4zero.com
From: spamtest@mail.shop4zero.com
<<< 250 2.0.0 Resetting
>>>> MAIL FROM:
<<< 250 2.1.0 spamtest@mail.shop4zero.com....Sender OK
>>>> RCPT TO:
<<< 250 2.1.5 cowandave%hotmail.com@mail.shop4zero.com
>>>> DATA
<<< 354 Start mail input; end with .
>>>> MESSAGE
<<< 250 2.6.0 Queued mail for delivery
SUCCESS

I see no other settings to check. Any other ideas.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Put your domain in to dnsreport.com and see what it comes back with.

Have you made any changes to the configuration of the machine? Exchange 2000 is relay secure "out of the box" but you can change settings to turn it in to a relay.

Simon.
0
 

Author Comment

by:mcse63
Comment Utility
Came back with I don't have an spf record and a few dns issues. I have worked those out, Is a smtp connector necessary to send and recieve mail. Let me explain a bit more. I have a external dc that forwards all mail to the exchange server behind the firewall and the the exchange uses the edc as the smart host. I have configured the firewall to accept mail to my exchange box directly. So do I need the smart host and the connector?
0
 
LVL 5

Expert Comment

by:Steve M
Comment Utility
I think you may have an extreamly large message that cannot be sent, due to message size restrictions at both ends (sender and recipient)

I've seen the same senario before, what happened was we had no outbound limits set, but we did have inbound limits set.  someone tryed to send a 400MB attachment and the recipeints mailserver rejected it with a copy of the message attached to the NDR, our system then rejected it as well and back and forth it went...  

the message must be huge due to the amount of time it takes to send the message, in your case 5 hours or so.  This is what you need to do to check for that.  

1. first stop SMTP services
2. open your exchange server queue folder (default location is c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue)
3. is there mail in that folder?  if there is then change the view to details and sort it by size.  Find out if there is a large message in there and delete or move it.  if not proceed to next step...
4. open the ESM (Exchange System Manager) and drill down to your queues (server/protocols/SMTP/default) for that server and you can also view those queues and sort by message size.
5. If you find a mail queue that is huge, enumerate the messagea and double click the queue to see what messages are waiting in the queue.  If you find a big one in there that you feel is the culprit, you can delete it right from there with "NO NDR!".
6. start your SMTP service back up of course.. ;)

Hope this helps ya, cheers. :)
0
 

Author Comment

by:mcse63
Comment Utility
I appreciate the input jsk-ck, I thought something like that as well and checked that yesterday. I didn't mention that in my first description as I am just getting the hang of this posting stuff. Thanks again.
0
 
LVL 5

Expert Comment

by:Steve M
Comment Utility
No prob, you might want to check your mail gateway (smarthost) for the same thing as I mentioned if you haven't done so already.

Good luck
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
SMTP Connector is not required for receiving email. Sometimes you need one for sending email. An SMTP connector usually directs email to another place - one that is different to what Exchange can find itself - for example you need to send email through the ISPs server (smart host).

If you are not sending email directly - and wish to send it through another machine - a relay - then you will need an SMTP connector, change it to smart host mode and enter the IP address or dns name of the relay machine.

Simon.
0
 

Author Comment

by:mcse63
Comment Utility
Simon,

You have been a great help and are in the lead for the points, I have finally been able to open the que and it is all postmaster@mydomain.com. Is there a way to prevent Reverse NDR attacks which is what I think this is.

Thanks,
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 7

Expert Comment

by:LimeSMJ
Comment Utility
Reverse NDRs ... those are what got me banned from AOL.  :)  

In Exchange 2000...

System Manager -> Global Settings -> Internet Message Formats...

Right click on your Default and choose Properties. In the Advanced tab there is a check box 'Allow non-delivery reports'. By unchecking this you basically turn off NDRs for incoming emails... Now there is a caveat to this. If anyone sends a legit email to your company using a wrong email address, your server will not respond back saying the user does not exist.

Nevertheless, look to getting an email filter that blocks non-existent users on your domain by doing directory lookups (such as ORF).  Sembee should get the points, not me...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
"LimeSMJ" has it right. I would have responded earlier but I was asleep.

The problem with turning off NDRs is that the legitimate NDRs (misspelling of names of legitimate users) will not be sent back to the users. Getting a filter to put in front of your Exchange server is a much better solution as it will stop the communication at the SMTP level.
Exchange 2003 has this feature built in.

Simon.
0
 

Author Comment

by:mcse63
Comment Utility
I just wantedt to say thanks for all the help. By accepting your answer Simon that meant that you recieved the points right? If not let me know what I need to do and I will make sure that you get them. I am going to look into some decent spam blocking apps. 26-50 users. Any thoughts?

Thanks again
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Straight spam I would look at "I Hate Spam". I have that running on a number of clients with Exchange 2003.
However in this case I think the first product you should look at is Mail Essentials from GFI. http://www.gfi.com/

I have the points - thank you.

Simon.
0
 
LVL 5

Expert Comment

by:Steve M
Comment Utility
Good answer, well done!

I use NetIQ's MailMarshal SMTP in front of my mailservers.  It works very well, is extreamly configurable and automatically updated.  The price wasn't too bad either I thought.  It runs on a Windows Server, and uses very little resources for what it does...  it really is a complete smtp gateway that scans for not only spam but content and of course Viruses as well.

http://www.netiq.com/products/mma/default.asp

Cheers

/Steve
0
 
LVL 7

Expert Comment

by:LimeSMJ
Comment Utility
I have GFI running on my mailserevr now.  Price is nice BUT the latest release (v10) still does not have the email directory lookup check that you (and I) are having problems with - basically SPAM is one thing but being emailed random names@mydomain.com can even be more annoying.  ORF is a product that I have never used but the specs look great.  It seems to do all the major stuff that GFI does PLUS the email directory checking to prevent DHA and the Dictionary attacks.

http://www.vamsoft.com/orf/orfee_prodspec.asp

Priced at $99 per server (no user license fees - amazing...) this is pennies to even use.  I am seriously considering just buying this product just to block unknown user emails.
0
 

Author Comment

by:mcse63
Comment Utility
Thanks for the input LimeSMJ

I have downloaded both and will install them today and let you know how it goes.
0
 

Expert Comment

by:BrownLumber
Comment Utility
I have ndr in exg 2k turned off but if I put in an address to send them to they still are created and sent?  
 Do they end up in the badmail folder if no notification was sent?   We are involved in cealning up A reverse NDR attack.  Is there a product that deals with this effectively.  
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
BrownLumber - This is a closed question. As such the experts will not see your question.
You should post a new question in the main Exchange topic area, the other experts will then pick up the question and answer.

Simon.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now