Exchange server contiues to fill queus

Posted on 2004-09-28
Last Modified: 2013-11-15
I have an exhcange 2000 server runing on Windows server 2000 standard.  Both pathched with latest patches.  I cleaned the SMTP queus and was down to the standard 4 or 5 queues.  I unpluged my server from the network, waited 3 hours.  When I came back to check, my queues were at 491.  This tells me that I have a virus or a trojan on my server that is trying to send messages.  I have norton for exchange installed, I also have ran housecall from Trend Micro.  All say my server is clean.  What I don't understand is if I have no virus, and I have no possiable connection for relay or spam how is my server creating email?  Anyone that can help on this would be very appreciated.

Thanks in advance
Question by:hhcomp
  • 6
  • 3

Author Comment

ID: 12174236
Here is a log file from Hijackthis.  I don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 3:44:19 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESJM.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSETask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESpamStatsManager.exe
C:\Documents and Settings\Administrator.TLCNET\Desktop\Test program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{699330FB-F278-4A4A-A08D-D24A4D382C1B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

LVL 104

Accepted Solution

Sembee earned 250 total points
ID: 12174549
I don't agree that high queues are a sign of a virus or trojan sending messages.
Most of the latest viruses have their own SMTP engine which wouldn't go through the Exchange server.

There are basically three causes for these queues.

1. Conventional relay. Exchange 200x is relay secure out of the box so you have to change something to cause that. This can be tested for on the Internet, such as here:

2. Authenticated user. This is where an account has been compromised and is being used by the spammer to send messages through your server as the server thinks it is legitimate email. Do you have users connecting to your server to send email with Outlook Express? If not then this feature can be disabled.

3. NDR Attack. This is where email is sent to your server with an invalid email address on purpose, and your server then bounces it to the sender. Except the "sender" is spoofed and is the real victim. Usual signs - look at the queues and the messages are From <> or postmaster@

You need to look at the queues to see which it is.

I have written a page for my web site based on various sources on checking and then cleaning up the queues which you might find useful: but if you need further assistance please post back.


Author Comment

ID: 12174844
Your post makes sence, however, I have already implemented everything you talked about.  

1. Our server is not relaying, I tested with the zonealarm site

2. How can a user relay email if the server is unpulged from the network?

3. Same question as 2, we left our server off the network for 3 hours.  When we came back, (before we reconected) the server had 491 queues?

I don't know if I understand how this is an NDR attack.

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 12179193
Also please note that I have turnded of NDR reports from the server, so why would my server keep sending reports after this is truned off?

However I did realize that the reson our queues filled up after the server was off network was because it finished processing the remaining inbound queues.

LVL 104

Expert Comment

ID: 12179250
Turning the machine off or disconnecting from the network does not prove that 2 and/or 3 are not the causes. If a spammer is sending you messages then Exchange can easily manage those types of numbers very quickly - and as soon as that machine is available again messages are sent.
Furthermore the messages could just be processing, waiting for the network connection to come alive again before appearing in the queues. Microsoft state in their own documentation for cleaning up after a spam attack that it can take three or four passes of the queues before they are clear.

It could also be an NDR attack. A spammer will be sending many thousands of messages, some of which will be processed by your server immediately. Others will fail, either because the domain or email is false or the remote party rejects the message. This will leave the messages in the queues on your server until they time out.


Author Comment

ID: 12179375
I am starting to agree with you about the NDR attack.  I think we are a target for this, however I do not understand why my server keeps sending internet NDR's when we have cleared the check box in the internet delivery options.  Can you help make sence of that?

You have been a great help so far.


Author Comment

ID: 12179639
One more thing Sembee
I have up to date AV software on my server and I keep getting the Netsky P virus any thoughts on that.

LVL 104

Expert Comment

ID: 12181901
If there are NDRs in the queues that you cannot see (because they are too numerous) then you will have to wait for Exchange to clear them out or use one of the techniques to flush the queues completely.

As for the NetSky virus, you aren't alone. At one client the AV on Exchange catches about 250 copies a day - sometimes more. The fact that you are seeing them indicates your AV is working correctly.


Author Comment

ID: 12217404
Thanks for the help Simon,
I think we have the issue pinned down to a netsky attack, however I am currently talking with symantec becuase we downloaded a trial of trend micro for exchange and found 65 copies of the netsky that symantec did not catch.  I really appreciate your help with this and I will post more info as the situation resloves. I am accepting your answer because it helped with finding out why this was happeing.

Thanks again,

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question