Exchange server contiues to fill queus

Posted on 2004-09-28
Medium Priority
Last Modified: 2013-11-15
I have an exhcange 2000 server runing on Windows server 2000 standard.  Both pathched with latest patches.  I cleaned the SMTP queus and was down to the standard 4 or 5 queues.  I unpluged my server from the network, waited 3 hours.  When I came back to check, my queues were at 491.  This tells me that I have a virus or a trojan on my server that is trying to send messages.  I have norton for exchange installed, I also have ran housecall from Trend Micro.  All say my server is clean.  What I don't understand is if I have no virus, and I have no possiable connection for relay or spam how is my server creating email?  Anyone that can help on this would be very appreciated.

Thanks in advance
Question by:hhcomp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3

Author Comment

ID: 12174236
Here is a log file from Hijackthis.  I don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 3:44:19 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESJM.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSETask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESpamStatsManager.exe
C:\Documents and Settings\Administrator.TLCNET\Desktop\Test program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{699330FB-F278-4A4A-A08D-D24A4D382C1B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tlcind.com

LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 12174549
I don't agree that high queues are a sign of a virus or trojan sending messages.
Most of the latest viruses have their own SMTP engine which wouldn't go through the Exchange server.

There are basically three causes for these queues.

1. Conventional relay. Exchange 200x is relay secure out of the box so you have to change something to cause that. This can be tested for on the Internet, such as here: http://www.zoneedit.com/smtp.html

2. Authenticated user. This is where an account has been compromised and is being used by the spammer to send messages through your server as the server thinks it is legitimate email. Do you have users connecting to your server to send email with Outlook Express? If not then this feature can be disabled.

3. NDR Attack. This is where email is sent to your server with an invalid email address on purpose, and your server then bounces it to the sender. Except the "sender" is spoofed and is the real victim. Usual signs - look at the queues and the messages are From <> or postmaster@

You need to look at the queues to see which it is.

I have written a page for my web site based on various sources on checking and then cleaning up the queues which you might find useful: http://www.amset.info/exchange/spam-cleanup.asp but if you need further assistance please post back.


Author Comment

ID: 12174844
Your post makes sence, however, I have already implemented everything you talked about.  

1. Our server is not relaying, I tested with the zonealarm site

2. How can a user relay email if the server is unpulged from the network?

3. Same question as 2, we left our server off the network for 3 hours.  When we came back, (before we reconected) the server had 491 queues?

I don't know if I understand how this is an NDR attack.

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 12179193
Also please note that I have turnded of NDR reports from the server, so why would my server keep sending reports after this is truned off?

However I did realize that the reson our queues filled up after the server was off network was because it finished processing the remaining inbound queues.

LVL 104

Expert Comment

ID: 12179250
Turning the machine off or disconnecting from the network does not prove that 2 and/or 3 are not the causes. If a spammer is sending you messages then Exchange can easily manage those types of numbers very quickly - and as soon as that machine is available again messages are sent.
Furthermore the messages could just be processing, waiting for the network connection to come alive again before appearing in the queues. Microsoft state in their own documentation for cleaning up after a spam attack that it can take three or four passes of the queues before they are clear.

It could also be an NDR attack. A spammer will be sending many thousands of messages, some of which will be processed by your server immediately. Others will fail, either because the domain or email is false or the remote party rejects the message. This will leave the messages in the queues on your server until they time out.


Author Comment

ID: 12179375
I am starting to agree with you about the NDR attack.  I think we are a target for this, however I do not understand why my server keeps sending internet NDR's when we have cleared the check box in the internet delivery options.  Can you help make sence of that?

You have been a great help so far.


Author Comment

ID: 12179639
One more thing Sembee
I have up to date AV software on my server and I keep getting the Netsky P virus any thoughts on that.

LVL 104

Expert Comment

ID: 12181901
If there are NDRs in the queues that you cannot see (because they are too numerous) then you will have to wait for Exchange to clear them out or use one of the techniques to flush the queues completely.

As for the NetSky virus, you aren't alone. At one client the AV on Exchange catches about 250 copies a day - sometimes more. The fact that you are seeing them indicates your AV is working correctly.


Author Comment

ID: 12217404
Thanks for the help Simon,
I think we have the issue pinned down to a netsky attack, however I am currently talking with symantec becuase we downloaded a trial of trend micro for exchange and found 65 copies of the netsky that symantec did not catch.  I really appreciate your help with this and I will post more info as the situation resloves. I am accepting your answer because it helped with finding out why this was happeing.

Thanks again,

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
New style of hardware planning for Microsoft Exchange server.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This video discusses moving either the default database or any database to a new volume.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question