Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 449
  • Last Modified:

SMTP Queue is flooded with soam....

I have two Exchange 2K3 servers running on 2003 servers. No FE\BE config at all. The problem is I am getting flooded with junk on my first email SMTP queue. There is nothing hitting my second? All email functions are fine in and out. I found when I turn off the Exchange MTA Stacks Service all email is fine and there is no more flooding. I have my Virtual Server set up as follows

Both have the same on Authentication, Connection and Relay

Authentication

All options are checked

Connection

All but the list below
List is empty

Relay
Only the listed below.

My domain is listed in the list as Granted.


What am I doing wrong?
0
pcspeedwaycom
Asked:
pcspeedwaycom
1 Solution
 
MicrotechCommented:
Hi pcspeedwaycom,

if you have not seen this it will help http://support.microsoft.com/default.aspx?scid=kb;en-us;823019&Product=exch2003

Hope This helps
0
 
pcspeedwaycomAuthor Commented:
Additional Info

When I have the service running my CPU Utilization Dual (P3 1 GHZ) are running at anywhere from 35 to 50%
0
 
SembeeCommented:
It sounds like you might be the victim of an authenticated user SPAM attack. This is where a user account has been comprimised and the spammer is sending email as that authenticated user.
Do you have any users sending email via SMTP? Outlook Express for example?
If not, then you can disable the feature.
If you do then you will need to turn up logging and see which account is being used. You can then get the account disabled or the password changed.

Simon.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
pcspeedwaycomAuthor Commented:
That was a great KB Article, I have 3 Exchange resource books and none spell it out as nice. I am turning off anyonomous access on the authentication to see what happens. I thought that would stop incoming mail from external domains. I am also looking at the tracking and see the senders as bogus email addresses? All of the recipients are bogus users @mydomain.com?

So, Does this mean I am not relaying simply being pummeled with junk mail?
0
 
ehammersleyCommented:
Good thing I refreshed before I posted  :-)

My post was right there with Sembee... alot of admins will create simple test accounts like test with a password of test.  This is just asking for trouble.  More often than not when I've seen this problems is has been in directly connected to a compromised user account.  SMTP logging to Max will identify this for you.

Exch 2003:

ESM, Right click your server and choose properties.  Select the Diagnostics Loggings tab, select MSExchangeTransport in the left pane, choose SMTP Protocol in the right pane and finally select Maximum in the option list below.
0
 
SembeeCommented:
If the recipients are bogus people at your domain then that is easy to stop with Exchange 2003.
The technique below will filter the messages at the SMTP level forcing the remote SMTP server to create the NDR before the message is delivered. This will take significant load off your machine.  

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.  

Simon.
0
 
pcspeedwaycomAuthor Commented:
I have followed everything I can find regarding relaying and recipient filterng and now I have over 6000 message in my SMTP Mailbox Store. All of the senders are bogus and about 99.999 % of the recipients are bogus. It seems all the messages are x400 realted in the Recipients part of the message when I open it in the queue? I am lost... When I stop the Exchange MTA Stack service nothing comes in?
0
 
pcspeedwaycomAuthor Commented:
Clrification, Nothing bogus comes in. Everything else seems to work fine?
0
 
SembeeCommented:
Just need to do some clean up then.

Take a look at this article from Microsoft KB. Ignore the SBS references, it applies to regular Exchange as well.

http://support.microsoft.com/default.aspx?kbid=324958

Simon.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now