Solved

SMTP Queue is flooded with soam....

Posted on 2004-09-01
9
442 Views
Last Modified: 2012-08-14
I have two Exchange 2K3 servers running on 2003 servers. No FE\BE config at all. The problem is I am getting flooded with junk on my first email SMTP queue. There is nothing hitting my second? All email functions are fine in and out. I found when I turn off the Exchange MTA Stacks Service all email is fine and there is no more flooding. I have my Virtual Server set up as follows

Both have the same on Authentication, Connection and Relay

Authentication

All options are checked

Connection

All but the list below
List is empty

Relay
Only the listed below.

My domain is listed in the list as Granted.


What am I doing wrong?
0
Comment
Question by:pcspeedwaycom
9 Comments
 
LVL 17

Expert Comment

by:Microtech
ID: 11953057
Hi pcspeedwaycom,

if you have not seen this it will help http://support.microsoft.com/default.aspx?scid=kb;en-us;823019&Product=exch2003

Hope This helps
0
 

Author Comment

by:pcspeedwaycom
ID: 11953068
Additional Info

When I have the service running my CPU Utilization Dual (P3 1 GHZ) are running at anywhere from 35 to 50%
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11953161
It sounds like you might be the victim of an authenticated user SPAM attack. This is where a user account has been comprimised and the spammer is sending email as that authenticated user.
Do you have any users sending email via SMTP? Outlook Express for example?
If not, then you can disable the feature.
If you do then you will need to turn up logging and see which account is being used. You can then get the account disabled or the password changed.

Simon.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pcspeedwaycom
ID: 11953249
That was a great KB Article, I have 3 Exchange resource books and none spell it out as nice. I am turning off anyonomous access on the authentication to see what happens. I thought that would stop incoming mail from external domains. I am also looking at the tracking and see the senders as bogus email addresses? All of the recipients are bogus users @mydomain.com?

So, Does this mean I am not relaying simply being pummeled with junk mail?
0
 
LVL 4

Expert Comment

by:ehammersley
ID: 11953255
Good thing I refreshed before I posted  :-)

My post was right there with Sembee... alot of admins will create simple test accounts like test with a password of test.  This is just asking for trouble.  More often than not when I've seen this problems is has been in directly connected to a compromised user account.  SMTP logging to Max will identify this for you.

Exch 2003:

ESM, Right click your server and choose properties.  Select the Diagnostics Loggings tab, select MSExchangeTransport in the left pane, choose SMTP Protocol in the right pane and finally select Maximum in the option list below.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 11953473
If the recipients are bogus people at your domain then that is easy to stop with Exchange 2003.
The technique below will filter the messages at the SMTP level forcing the remote SMTP server to create the NDR before the message is delivered. This will take significant load off your machine.  

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.  

Simon.
0
 

Author Comment

by:pcspeedwaycom
ID: 11999294
I have followed everything I can find regarding relaying and recipient filterng and now I have over 6000 message in my SMTP Mailbox Store. All of the senders are bogus and about 99.999 % of the recipients are bogus. It seems all the messages are x400 realted in the Recipients part of the message when I open it in the queue? I am lost... When I stop the Exchange MTA Stack service nothing comes in?
0
 

Author Comment

by:pcspeedwaycom
ID: 11999308
Clrification, Nothing bogus comes in. Everything else seems to work fine?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11999977
Just need to do some clean up then.

Take a look at this article from Microsoft KB. Ignore the SBS references, it applies to regular Exchange as well.

http://support.microsoft.com/default.aspx?kbid=324958

Simon.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now