Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange server contiues to fill queus

Posted on 2004-09-28
Medium Priority
Last Modified: 2013-11-15
I have an exhcange 2000 server runing on Windows server 2000 standard.  Both pathched with latest patches.  I cleaned the SMTP queus and was down to the standard 4 or 5 queues.  I unpluged my server from the network, waited 3 hours.  When I came back to check, my queues were at 491.  This tells me that I have a virus or a trojan on my server that is trying to send messages.  I have norton for exchange installed, I also have ran housecall from Trend Micro.  All say my server is clean.  What I don't understand is if I have no virus, and I have no possiable connection for relay or spam how is my server creating email?  Anyone that can help on this would be very appreciated.

Thanks in advance
Question by:hhcomp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3

Author Comment

ID: 12174236
Here is a log file from Hijackthis.  I don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 3:44:19 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
C:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSECtrl.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSEUI.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSELog.EXE
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESp.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESJM.EXE
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSETask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Symantec\SMSMSE\4.5\Server\SAVFMSESpamStatsManager.exe
C:\Documents and Settings\Administrator.TLCNET\Desktop\Test program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{699330FB-F278-4A4A-A08D-D24A4D382C1B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tlcind.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tlcind.com

LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 12174549
I don't agree that high queues are a sign of a virus or trojan sending messages.
Most of the latest viruses have their own SMTP engine which wouldn't go through the Exchange server.

There are basically three causes for these queues.

1. Conventional relay. Exchange 200x is relay secure out of the box so you have to change something to cause that. This can be tested for on the Internet, such as here: http://www.zoneedit.com/smtp.html

2. Authenticated user. This is where an account has been compromised and is being used by the spammer to send messages through your server as the server thinks it is legitimate email. Do you have users connecting to your server to send email with Outlook Express? If not then this feature can be disabled.

3. NDR Attack. This is where email is sent to your server with an invalid email address on purpose, and your server then bounces it to the sender. Except the "sender" is spoofed and is the real victim. Usual signs - look at the queues and the messages are From <> or postmaster@

You need to look at the queues to see which it is.

I have written a page for my web site based on various sources on checking and then cleaning up the queues which you might find useful: http://www.amset.info/exchange/spam-cleanup.asp but if you need further assistance please post back.


Author Comment

ID: 12174844
Your post makes sence, however, I have already implemented everything you talked about.  

1. Our server is not relaying, I tested with the zonealarm site

2. How can a user relay email if the server is unpulged from the network?

3. Same question as 2, we left our server off the network for 3 hours.  When we came back, (before we reconected) the server had 491 queues?

I don't know if I understand how this is an NDR attack.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 12179193
Also please note that I have turnded of NDR reports from the server, so why would my server keep sending reports after this is truned off?

However I did realize that the reson our queues filled up after the server was off network was because it finished processing the remaining inbound queues.

LVL 104

Expert Comment

ID: 12179250
Turning the machine off or disconnecting from the network does not prove that 2 and/or 3 are not the causes. If a spammer is sending you messages then Exchange can easily manage those types of numbers very quickly - and as soon as that machine is available again messages are sent.
Furthermore the messages could just be processing, waiting for the network connection to come alive again before appearing in the queues. Microsoft state in their own documentation for cleaning up after a spam attack that it can take three or four passes of the queues before they are clear.

It could also be an NDR attack. A spammer will be sending many thousands of messages, some of which will be processed by your server immediately. Others will fail, either because the domain or email is false or the remote party rejects the message. This will leave the messages in the queues on your server until they time out.


Author Comment

ID: 12179375
I am starting to agree with you about the NDR attack.  I think we are a target for this, however I do not understand why my server keeps sending internet NDR's when we have cleared the check box in the internet delivery options.  Can you help make sence of that?

You have been a great help so far.


Author Comment

ID: 12179639
One more thing Sembee
I have up to date AV software on my server and I keep getting the Netsky P virus any thoughts on that.

LVL 104

Expert Comment

ID: 12181901
If there are NDRs in the queues that you cannot see (because they are too numerous) then you will have to wait for Exchange to clear them out or use one of the techniques to flush the queues completely.

As for the NetSky virus, you aren't alone. At one client the AV on Exchange catches about 250 copies a day - sometimes more. The fact that you are seeing them indicates your AV is working correctly.


Author Comment

ID: 12217404
Thanks for the help Simon,
I think we have the issue pinned down to a netsky attack, however I am currently talking with symantec becuase we downloaded a trial of trend micro for exchange and found 65 copies of the netsky that symantec did not catch.  I really appreciate your help with this and I will post more info as the situation resloves. I am accepting your answer because it helped with finding out why this was happeing.

Thanks again,

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I originally wrote this article to compare SARDU and YUMI, but have now added Easy2Boot, since that is the one I currently use and find the easiest to create and alter.
Have you ever run into that annoying problem where the computer won't boot?  Wouldn't it be great if you had a tool that would make that disk boot again?  I have found one tool that works more often than not ...
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question