nalanbar
asked on
Thousands of .tw emails in my SMTP queue in exchange 2003
Hello all,
My exchange server has been amazingly slow the past few days. Today, on a whim, I looked at my SMTP queue, and it had thousands of items in the ourbound queue. They are almost all going to a (normal site).tw site. For instance, the head of the list with a few thousand emails, is pchome.com.tw. At this point, it is so bad that legit emails are not making it into our network from the outside, because my server is so slow it is dropping connections. Any thoughts? Thanks.
My exchange server has been amazingly slow the past few days. Today, on a whim, I looked at my SMTP queue, and it had thousands of items in the ourbound queue. They are almost all going to a (normal site).tw site. For instance, the head of the list with a few thousand emails, is pchome.com.tw. At this point, it is so bad that legit emails are not making it into our network from the outside, because my server is so slow it is dropping connections. Any thoughts? Thanks.
NDR attack.
This is where emails are sent to your server with wrong email addresses on purpose, so that your server bounces them. The address the server bounces them to is the real victim of the spam as the from line was faked.
Future attacks can be stopped by changing a setting on ESM.
To enable this option:
1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."
You then need to enable the Recipient Filter on the SMTP Server.
1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.
For dealing with the messages in the queue, there is a technique available but it will flush everything in the queue, including legitimate emails.
It is a little long winded, so I will point you to my web site where I have outlined the technique:
http://www.amset.info/exchange/spam-cleanup.asp
Simon.
This is where emails are sent to your server with wrong email addresses on purpose, so that your server bounces them. The address the server bounces them to is the real victim of the spam as the from line was faked.
Future attacks can be stopped by changing a setting on ESM.
To enable this option:
1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."
You then need to enable the Recipient Filter on the SMTP Server.
1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.
For dealing with the messages in the queue, there is a technique available but it will flush everything in the queue, including legitimate emails.
It is a little long winded, so I will point you to my web site where I have outlined the technique:
http://www.amset.info/exchange/spam-cleanup.asp
Simon.
ASKER
I have tried that suggestion, and it seemed like it was working for about an hour, but now my queues are building again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER