Exchange server contiues to fill queus

I have an exhcange 2000 server runing on Windows server 2000 standard.  Both pathched with latest patches.  I cleaned the SMTP queus and was down to the standard 4 or 5 queues.  I unpluged my server from the network, waited 3 hours.  When I came back to check, my queues were at 491.  This tells me that I have a virus or a trojan on my server that is trying to send messages.  I have norton for exchange installed, I also have ran housecall from Trend Micro.  All say my server is clean.  What I don't understand is if I have no virus, and I have no possiable connection for relay or spam how is my server creating email?  Anyone that can help on this would be very appreciated.

Thanks in advance
Who is Participating?
SembeeConnect With a Mentor Commented:
I don't agree that high queues are a sign of a virus or trojan sending messages.
Most of the latest viruses have their own SMTP engine which wouldn't go through the Exchange server.

There are basically three causes for these queues.

1. Conventional relay. Exchange 200x is relay secure out of the box so you have to change something to cause that. This can be tested for on the Internet, such as here:

2. Authenticated user. This is where an account has been compromised and is being used by the spammer to send messages through your server as the server thinks it is legitimate email. Do you have users connecting to your server to send email with Outlook Express? If not then this feature can be disabled.

3. NDR Attack. This is where email is sent to your server with an invalid email address on purpose, and your server then bounces it to the sender. Except the "sender" is spoofed and is the real victim. Usual signs - look at the queues and the messages are From <> or postmaster@

You need to look at the queues to see which it is.

I have written a page for my web site based on various sources on checking and then cleaning up the queues which you might find useful: but if you need further assistance please post back.

hhcompAuthor Commented:
Here is a log file from Hijackthis.  I don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 3:44:19 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESJM.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSETask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESpamStatsManager.exe
C:\Documents and Settings\Administrator.TLCNET\Desktop\Test program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{699330FB-F278-4A4A-A08D-D24A4D382C1B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

hhcompAuthor Commented:
Your post makes sence, however, I have already implemented everything you talked about.  

1. Our server is not relaying, I tested with the zonealarm site

2. How can a user relay email if the server is unpulged from the network?

3. Same question as 2, we left our server off the network for 3 hours.  When we came back, (before we reconected) the server had 491 queues?

I don't know if I understand how this is an NDR attack.

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

hhcompAuthor Commented:
Also please note that I have turnded of NDR reports from the server, so why would my server keep sending reports after this is truned off?

However I did realize that the reson our queues filled up after the server was off network was because it finished processing the remaining inbound queues.

Turning the machine off or disconnecting from the network does not prove that 2 and/or 3 are not the causes. If a spammer is sending you messages then Exchange can easily manage those types of numbers very quickly - and as soon as that machine is available again messages are sent.
Furthermore the messages could just be processing, waiting for the network connection to come alive again before appearing in the queues. Microsoft state in their own documentation for cleaning up after a spam attack that it can take three or four passes of the queues before they are clear.

It could also be an NDR attack. A spammer will be sending many thousands of messages, some of which will be processed by your server immediately. Others will fail, either because the domain or email is false or the remote party rejects the message. This will leave the messages in the queues on your server until they time out.

hhcompAuthor Commented:
I am starting to agree with you about the NDR attack.  I think we are a target for this, however I do not understand why my server keeps sending internet NDR's when we have cleared the check box in the internet delivery options.  Can you help make sence of that?

You have been a great help so far.

hhcompAuthor Commented:
One more thing Sembee
I have up to date AV software on my server and I keep getting the Netsky P virus any thoughts on that.

If there are NDRs in the queues that you cannot see (because they are too numerous) then you will have to wait for Exchange to clear them out or use one of the techniques to flush the queues completely.

As for the NetSky virus, you aren't alone. At one client the AV on Exchange catches about 250 copies a day - sometimes more. The fact that you are seeing them indicates your AV is working correctly.

hhcompAuthor Commented:
Thanks for the help Simon,
I think we have the issue pinned down to a netsky attack, however I am currently talking with symantec becuase we downloaded a trial of trend micro for exchange and found 65 copies of the netsky that symantec did not catch.  I really appreciate your help with this and I will post more info as the situation resloves. I am accepting your answer because it helped with finding out why this was happeing.

Thanks again,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.