Solved

Exchange server contiues to fill queus

Posted on 2004-09-28
9
1,269 Views
Last Modified: 2013-11-15
I have an exhcange 2000 server runing on Windows server 2000 standard.  Both pathched with latest patches.  I cleaned the SMTP queus and was down to the standard 4 or 5 queues.  I unpluged my server from the network, waited 3 hours.  When I came back to check, my queues were at 491.  This tells me that I have a virus or a trojan on my server that is trying to send messages.  I have norton for exchange installed, I also have ran housecall from Trend Micro.  All say my server is clean.  What I don't understand is if I have no virus, and I have no possiable connection for relay or spam how is my server creating email?  Anyone that can help on this would be very appreciated.

Thanks in advance
Chad
0
Comment
Question by:hhcomp
  • 6
  • 3
9 Comments
 

Author Comment

by:hhcomp
ID: 12174236
Here is a log file from Hijackthis.  I don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 3:44:19 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESJM.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSETask.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\explorer.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESpamStatsManager.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mdm.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Administrator.TLCNET\Desktop\Test program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{699330FB-F278-4A4A-A08D-D24A4D382C1B}: NameServer = 192.168.0.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tlcind.com



Thanks
Chad
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 12174549
I don't agree that high queues are a sign of a virus or trojan sending messages.
Most of the latest viruses have their own SMTP engine which wouldn't go through the Exchange server.

There are basically three causes for these queues.

1. Conventional relay. Exchange 200x is relay secure out of the box so you have to change something to cause that. This can be tested for on the Internet, such as here: http://www.zoneedit.com/smtp.html

2. Authenticated user. This is where an account has been compromised and is being used by the spammer to send messages through your server as the server thinks it is legitimate email. Do you have users connecting to your server to send email with Outlook Express? If not then this feature can be disabled.

3. NDR Attack. This is where email is sent to your server with an invalid email address on purpose, and your server then bounces it to the sender. Except the "sender" is spoofed and is the real victim. Usual signs - look at the queues and the messages are From <> or postmaster@

You need to look at the queues to see which it is.

I have written a page for my web site based on various sources on checking and then cleaning up the queues which you might find useful: http://www.amset.info/exchange/spam-cleanup.asp but if you need further assistance please post back.

Simon.
0
 

Author Comment

by:hhcomp
ID: 12174844
Your post makes sence, however, I have already implemented everything you talked about.  

1. Our server is not relaying, I tested with the zonealarm site

2. How can a user relay email if the server is unpulged from the network?

3. Same question as 2, we left our server off the network for 3 hours.  When we came back, (before we reconected) the server had 491 queues?

I don't know if I understand how this is an NDR attack.

Thanks
Chad
0
 

Author Comment

by:hhcomp
ID: 12179193
Also please note that I have turnded of NDR reports from the server, so why would my server keep sending reports after this is truned off?

However I did realize that the reson our queues filled up after the server was off network was because it finished processing the remaining inbound queues.

Thanks
Chad
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 104

Expert Comment

by:Sembee
ID: 12179250
Turning the machine off or disconnecting from the network does not prove that 2 and/or 3 are not the causes. If a spammer is sending you messages then Exchange can easily manage those types of numbers very quickly - and as soon as that machine is available again messages are sent.
Furthermore the messages could just be processing, waiting for the network connection to come alive again before appearing in the queues. Microsoft state in their own documentation for cleaning up after a spam attack that it can take three or four passes of the queues before they are clear.

It could also be an NDR attack. A spammer will be sending many thousands of messages, some of which will be processed by your server immediately. Others will fail, either because the domain or email is false or the remote party rejects the message. This will leave the messages in the queues on your server until they time out.

Simon.
0
 

Author Comment

by:hhcomp
ID: 12179375
Sembee,
I am starting to agree with you about the NDR attack.  I think we are a target for this, however I do not understand why my server keeps sending internet NDR's when we have cleared the check box in the internet delivery options.  Can you help make sence of that?

You have been a great help so far.

Thanks
Chad
0
 

Author Comment

by:hhcomp
ID: 12179639
One more thing Sembee
I have up to date AV software on my server and I keep getting the Netsky P virus any thoughts on that.

Thanks
Chad
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12181901
If there are NDRs in the queues that you cannot see (because they are too numerous) then you will have to wait for Exchange to clear them out or use one of the techniques to flush the queues completely.

As for the NetSky virus, you aren't alone. At one client the AV on Exchange catches about 250 copies a day - sometimes more. The fact that you are seeing them indicates your AV is working correctly.

Simon.
0
 

Author Comment

by:hhcomp
ID: 12217404
Thanks for the help Simon,
I think we have the issue pinned down to a netsky attack, however I am currently talking with symantec becuase we downloaded a trial of trend micro for exchange and found 65 copies of the netsky that symantec did not catch.  I really appreciate your help with this and I will post more info as the situation resloves. I am accepting your answer because it helped with finding out why this was happeing.

Thanks again,
Chad
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now