Solved

SMTP Queue is flooded with soam....

Posted on 2004-09-01
9
436 Views
Last Modified: 2012-08-14
I have two Exchange 2K3 servers running on 2003 servers. No FE\BE config at all. The problem is I am getting flooded with junk on my first email SMTP queue. There is nothing hitting my second? All email functions are fine in and out. I found when I turn off the Exchange MTA Stacks Service all email is fine and there is no more flooding. I have my Virtual Server set up as follows

Both have the same on Authentication, Connection and Relay

Authentication

All options are checked

Connection

All but the list below
List is empty

Relay
Only the listed below.

My domain is listed in the list as Granted.


What am I doing wrong?
0
Comment
Question by:pcspeedwaycom
9 Comments
 
LVL 17

Expert Comment

by:Microtech
ID: 11953057
Hi pcspeedwaycom,

if you have not seen this it will help http://support.microsoft.com/default.aspx?scid=kb;en-us;823019&Product=exch2003

Hope This helps
0
 

Author Comment

by:pcspeedwaycom
ID: 11953068
Additional Info

When I have the service running my CPU Utilization Dual (P3 1 GHZ) are running at anywhere from 35 to 50%
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11953161
It sounds like you might be the victim of an authenticated user SPAM attack. This is where a user account has been comprimised and the spammer is sending email as that authenticated user.
Do you have any users sending email via SMTP? Outlook Express for example?
If not, then you can disable the feature.
If you do then you will need to turn up logging and see which account is being used. You can then get the account disabled or the password changed.

Simon.
0
 

Author Comment

by:pcspeedwaycom
ID: 11953249
That was a great KB Article, I have 3 Exchange resource books and none spell it out as nice. I am turning off anyonomous access on the authentication to see what happens. I thought that would stop incoming mail from external domains. I am also looking at the tracking and see the senders as bogus email addresses? All of the recipients are bogus users @mydomain.com?

So, Does this mean I am not relaying simply being pummeled with junk mail?
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 4

Expert Comment

by:ehammersley
ID: 11953255
Good thing I refreshed before I posted  :-)

My post was right there with Sembee... alot of admins will create simple test accounts like test with a password of test.  This is just asking for trouble.  More often than not when I've seen this problems is has been in directly connected to a compromised user account.  SMTP logging to Max will identify this for you.

Exch 2003:

ESM, Right click your server and choose properties.  Select the Diagnostics Loggings tab, select MSExchangeTransport in the left pane, choose SMTP Protocol in the right pane and finally select Maximum in the option list below.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 11953473
If the recipients are bogus people at your domain then that is easy to stop with Exchange 2003.
The technique below will filter the messages at the SMTP level forcing the remote SMTP server to create the NDR before the message is delivered. This will take significant load off your machine.  

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.  

Simon.
0
 

Author Comment

by:pcspeedwaycom
ID: 11999294
I have followed everything I can find regarding relaying and recipient filterng and now I have over 6000 message in my SMTP Mailbox Store. All of the senders are bogus and about 99.999 % of the recipients are bogus. It seems all the messages are x400 realted in the Recipients part of the message when I open it in the queue? I am lost... When I stop the Exchange MTA Stack service nothing comes in?
0
 

Author Comment

by:pcspeedwaycom
ID: 11999308
Clrification, Nothing bogus comes in. Everything else seems to work fine?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11999977
Just need to do some clean up then.

Take a look at this article from Microsoft KB. Ignore the SBS references, it applies to regular Exchange as well.

http://support.microsoft.com/default.aspx?kbid=324958

Simon.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now