Solved

Thousands of .tw emails in my SMTP queue in exchange 2003

Posted on 2004-09-22
4
1,095 Views
Last Modified: 2012-06-21
Hello all,
My exchange server has been amazingly slow the past few days. Today, on a whim, I looked at my SMTP queue, and it had thousands of items in the ourbound queue. They are almost all going to a (normal site).tw site. For instance, the head of the list with a few thousand emails, is pchome.com.tw. At this point, it is so bad that legit emails are not making it into our network from the outside, because my server is so slow it is dropping connections. Any thoughts? Thanks.
0
Comment
Question by:nalanbar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Author Comment

by:nalanbar
ID: 12127028
On another note, the source is all postmaster@(mydomain.org), but nothing shows up in virus scans, and I know I have the newest definitions, as I was on the phone with symantec this morning, getting current (to the hour) deffs.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12127677
NDR attack.
This is where emails are sent to your server with wrong email addresses on purpose, so that your server bounces them. The address the server bounces them to is the real victim of the spam as the from line was faked.

Future attacks can be stopped by changing a setting on ESM.

To enable this option:

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.

For dealing with the messages in the queue, there is a technique available but it will flush everything in the queue, including legitimate emails.
It is a little long winded, so I will point you to my web site where I have outlined the technique:
http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 3

Author Comment

by:nalanbar
ID: 12133468
I have tried that suggestion, and it seemed like it was working for about an hour, but now my queues are building again.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 12135363
What did you actually do - modify the recipient filter?
This may not have actually solved the problem. The web page that I pointed you to also has a number techniques for finding out whether you are vulnerable to other forms of attack.

The other type is authenticated user - where your Exchange server has been repeatedly asked for a username and password and a successful has been found. Turning up SMTP logging to see if there are repeated authentication will soon show up the account that has been compromised.

Simon.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question