Solved

For the past couple days my outbound queue has been filling up with thousands of emails.  I had 35,000 last night .  For all of these e-mails awaiting delivery

Posted on 2004-10-05
20
2,287 Views
Last Modified: 2013-11-15
For the past couple days my outbound queue has been filling up with thousands of emails.  I had 35,000 last night .  For all of these e-mails awaiting delivery, i checked your article but it is for exchange 5.5 .
i use exchange server 2003 , and i do know that it has more features for better solution
Please help me to stop it , it slows down my server
0
Comment
Question by:Nabilbahr
  • 10
  • 5
  • 5
20 Comments
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12229513
Four questions:

1. Are these messages going to many different places or just a few specific domains? If there are many domains, is there a commonality to them (like mostly.org or mostly in a specific geographic location, etc.)?

2. Is that a normal volume for your mail server--35,000 can be an extremely high count for many companies.

3. Is one or more PC on your network infected with a virus?

4. Is one or more PC on your network compromised and relaying spam? or, Is someone using your domain as the from address in spam messages (called a "Joe Job")?

If possible, can you view any of the messages (or any NDR that is being generated)? Otherwise, you should be able to see the subject line and the from address.

0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 12229812
It is one of three things.

1. Open Relay
2. Authenticated user relay
3. NDR attack.

Either way you need to get that machine off the Internet and then clear the queues. I have outlined a technique for testing and then clearing the queues here: http://www.amset.info/exchange/spam-cleanup.asp
I would post the instructions but they are very long. That article is based on a Microsoft KB article which I have adjusted after using the original a few times.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12231105
It solved the problem, now there is now accumulation of messages on the queue , but still the performance of the server is low, and the server is trying to send 20,000  packets per minute
i can see that in the local area connection. but i can't understand what is that
0
 

Author Comment

by:Nabilbahr
ID: 12231128
revision to my last comment.

It solved the problem, now there is no accumulation of messages on the queue , but still the performance of the server is low, and the server is trying to send 20,000  packets per minute
i can see that in the local area connection. but i can't understand what is that, it looks that we solved the NDR attack, how about Open Relay, and Authenticated user Relay ... How can do it?
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12231339
If you look at the link Simon included above, it includes methods to test and see if your server allows any machine to relay (Open Relay) and how to set up logging to watch for massive Authenticated User relaying. Exchange 2003 out of the box should not be an open relay server, but you should test your mail server to make sure--it is one of the first tests that should be done anytime a new mail server is set up.

If you are having performance issues still, logging is your best friend right now--set all logging to maximum if you are able so you can see who's sending what:) Check all of the event logs as well to see if you can determine what the source of the packets is.

I'd also run a full virus and malware scan on the server just to make sure.
0
 

Author Comment

by:Nabilbahr
ID: 12231643
i set the logging from the properties of the mailserver , and i was able to track a test email i just did , But there is no other records about any activity , while the server is still busy sending 1000's of packets
Please help me.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12231672
ESM cannot show all the messages in the queues. Therefore it could still be sending the messages.
You need to get this machine off the internet, tell the users not to send an email and use the process in my article to flush all the bogus messages out. Once they are all out you can then look at the config of the server to ensure that you are not open before reconnecting it to the internet.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12231770
Simon, i did everything you specified in your article , and it helped,  now the queues are empty but still too much traffic i can't understand what is it about, i enabled logging, but there is no messages logged

0
 
LVL 104

Expert Comment

by:Sembee
ID: 12232080
It could be inbound data.
If you disconnect the Exchange server does the traffic stop?

Simon.
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12232255
Simon is right, if the machine is vulnerable it can be sending messages that you can't see via Exchange. Do you have a firewall that can do even basic logging? If so, look at those log files and see what ports the server is using to send--this may help determine what kind of traffic is being generated. Unplugging it is very sound advice--and until you determine the cause, absolutely keep it off the Net while you are not there monitoring it. If you can see firewall logs, block the server while you are trying to clean this all up. Trying to get yourself off blacklists is a far more difficult and lengthy process than dealing with a day or two of no net access. Right now the machine isn't running properly anyway and therefore productivity is already hampered.

You might also try to run a packet sniffer and capture some of the traffice--you should be able to determine where and on what ports the machine is sending packets. Some of these are relatively inexpensive. Keep in mind, though, that if you have any switches on your network you may not see all the packets being sent. A network that only uses hubs will show all traffic.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:Nabilbahr
ID: 12232546
Thanks
i enabled Norton firewall and here is a log of all the connections during some minutes, you can check it using that link .  ftp://tfitours.com/Connections.txt
i wish that would help
Nabil
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12233053
Ok, many many many port 135 connections--but they are local. Port 135 can indicate the blaster worm although usually you see external connections. Is that machine fully patched and have you run full virus scans?

That port is also used for AD services, however, so this may be nothing to worry about.

One other quick thing I noticed--you don't have reverse DNS for your mail server:)

As Simon asked, does the traffic stop if you unplug the Internet connection, or does it remain high? It may just be that the server is trying to get itself caught up or that other traffic is being generated on the network:)

0
 

Author Comment

by:Nabilbahr
ID: 12233065
the traffic remains high as i disconnect the cable
0
 

Author Comment

by:Nabilbahr
ID: 12242057
i'm still having that muck traffic, i checked (reverse DNS for my mailserver) and i dissconnected the network cable and that helped me to find out that the traffic is generated from the server itself.
here is a link that shows the most recent connections
ftp://tfitours.com/Connections.txt
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12243303
Ok, seeing quite a few port 135 connections between your server and other machines--nearly all are within the 64.214.64.0/18 subnet but there are a few outside that netblock.

There is also some IRC traffic hidden in that log as well--could be legitimate but makes me wonder.

Are you getting anything when you run virus scans on the server? The traffic looks suspiciously blaster-like to me, but with the IRC traffic it really makes me worry the machine may be compromised. Is the machine running Windows Server 2003 as well as Exchange 2003 or is it Win 2K?

Here is the Symantec article regarding the latest Blaster variant:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

Simply blocking port 135 inbound/outboud at the firewall may stop many of your issues.

As for the reverse DNS, you need to contact Global Crossing and either have them set up the reverse or delegate authority for your net block down to you.
0
 

Author Comment

by:Nabilbahr
ID: 12282302
i formatted my harddrive Re-installed exchange server from the begining.
installed norton antivirus with most recent updates.
disabled anonymous logins to SMTP server , and Relay
But now i can send email from outlook web access but i can't recieve any mails from the internet (ex from anybody who is using a hotmail account).

before when i allowed anonymous access it worked , but now i'm afraid that i will get 1000's of messages again in my queues, what should i do
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12282695
You have to allow anonymous access. No remote mail server is going to know how to authenticate againist your server, so they will be anonymous connections.
As long as you haven't made significant changes to the SMTP configuration then your machine will not relay - it is relay secure out of the box.
Similarly if you enable user filtering that will stop an NDR attack in its tracks as your server will not allow the message to be sent.

To enable this option:

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.

If you have no users connecting to your server to send email with Outlook Express then you can also disable authenticated SMTP relay.

1. Expand ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP.
2. Right click on "Default SMTP Virtual Server" and choose Properties.
3. Click on the "Access Tab" and then the "Relay" button at the bottom.
4. Ensure that "Only the list below" is enabled and there are no servers list.
5. Deselect the next option "Allows all computers which successfully authenticate to relay, regardless of the list above."
6. Click Apply/OK to exit from this option.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12290451
Thanks, it works fine now from outlook web access .
But but not from outlook express
i use exchange server 2003 with windows 2000.
i tried outlook express 6 it wouldn't authenticate
i tries outlook 2003 it cannot log into incoming mail server (pop3)

i checked my pop virtual server properties, access tab, authentication
basic authentication is checked, simple authentication is checked
connection is all except the list below(with empty list)

what can i do?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12292145
If you have rebuilt the Exchange server then have you enabled the POP3 virtual server? It is disabled by default.
If it is enabled can you telnet to port 110 on the Exchange server?

telnet mail.domain.com 110

replacing mail.domain.com with the name of your server.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12302396
the problem was solved.
Thank you very much , all the resolutions was very helpfull
Thanks simon, thanks suzan
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Viewers will learn how to use the Hootsuite Dashboard.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now