Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

For the past couple days my outbound queue has been filling up with thousands of emails.  I had 35,000 last night .  For all of these e-mails awaiting delivery

Posted on 2004-10-05
20
Medium Priority
?
2,304 Views
Last Modified: 2013-11-15
For the past couple days my outbound queue has been filling up with thousands of emails.  I had 35,000 last night .  For all of these e-mails awaiting delivery, i checked your article but it is for exchange 5.5 .
i use exchange server 2003 , and i do know that it has more features for better solution
Please help me to stop it , it slows down my server
0
Comment
Question by:Nabilbahr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 5
20 Comments
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12229513
Four questions:

1. Are these messages going to many different places or just a few specific domains? If there are many domains, is there a commonality to them (like mostly.org or mostly in a specific geographic location, etc.)?

2. Is that a normal volume for your mail server--35,000 can be an extremely high count for many companies.

3. Is one or more PC on your network infected with a virus?

4. Is one or more PC on your network compromised and relaying spam? or, Is someone using your domain as the from address in spam messages (called a "Joe Job")?

If possible, can you view any of the messages (or any NDR that is being generated)? Otherwise, you should be able to see the subject line and the from address.

0
 
LVL 104

Accepted Solution

by:
Sembee earned 375 total points
ID: 12229812
It is one of three things.

1. Open Relay
2. Authenticated user relay
3. NDR attack.

Either way you need to get that machine off the Internet and then clear the queues. I have outlined a technique for testing and then clearing the queues here: http://www.amset.info/exchange/spam-cleanup.asp
I would post the instructions but they are very long. That article is based on a Microsoft KB article which I have adjusted after using the original a few times.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12231105
It solved the problem, now there is now accumulation of messages on the queue , but still the performance of the server is low, and the server is trying to send 20,000  packets per minute
i can see that in the local area connection. but i can't understand what is that
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Nabilbahr
ID: 12231128
revision to my last comment.

It solved the problem, now there is no accumulation of messages on the queue , but still the performance of the server is low, and the server is trying to send 20,000  packets per minute
i can see that in the local area connection. but i can't understand what is that, it looks that we solved the NDR attack, how about Open Relay, and Authenticated user Relay ... How can do it?
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12231339
If you look at the link Simon included above, it includes methods to test and see if your server allows any machine to relay (Open Relay) and how to set up logging to watch for massive Authenticated User relaying. Exchange 2003 out of the box should not be an open relay server, but you should test your mail server to make sure--it is one of the first tests that should be done anytime a new mail server is set up.

If you are having performance issues still, logging is your best friend right now--set all logging to maximum if you are able so you can see who's sending what:) Check all of the event logs as well to see if you can determine what the source of the packets is.

I'd also run a full virus and malware scan on the server just to make sure.
0
 

Author Comment

by:Nabilbahr
ID: 12231643
i set the logging from the properties of the mailserver , and i was able to track a test email i just did , But there is no other records about any activity , while the server is still busy sending 1000's of packets
Please help me.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12231672
ESM cannot show all the messages in the queues. Therefore it could still be sending the messages.
You need to get this machine off the internet, tell the users not to send an email and use the process in my article to flush all the bogus messages out. Once they are all out you can then look at the config of the server to ensure that you are not open before reconnecting it to the internet.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12231770
Simon, i did everything you specified in your article , and it helped,  now the queues are empty but still too much traffic i can't understand what is it about, i enabled logging, but there is no messages logged

0
 
LVL 104

Expert Comment

by:Sembee
ID: 12232080
It could be inbound data.
If you disconnect the Exchange server does the traffic stop?

Simon.
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12232255
Simon is right, if the machine is vulnerable it can be sending messages that you can't see via Exchange. Do you have a firewall that can do even basic logging? If so, look at those log files and see what ports the server is using to send--this may help determine what kind of traffic is being generated. Unplugging it is very sound advice--and until you determine the cause, absolutely keep it off the Net while you are not there monitoring it. If you can see firewall logs, block the server while you are trying to clean this all up. Trying to get yourself off blacklists is a far more difficult and lengthy process than dealing with a day or two of no net access. Right now the machine isn't running properly anyway and therefore productivity is already hampered.

You might also try to run a packet sniffer and capture some of the traffice--you should be able to determine where and on what ports the machine is sending packets. Some of these are relatively inexpensive. Keep in mind, though, that if you have any switches on your network you may not see all the packets being sent. A network that only uses hubs will show all traffic.
0
 

Author Comment

by:Nabilbahr
ID: 12232546
Thanks
i enabled Norton firewall and here is a log of all the connections during some minutes, you can check it using that link .  ftp://tfitours.com/Connections.txt
i wish that would help
Nabil
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12233053
Ok, many many many port 135 connections--but they are local. Port 135 can indicate the blaster worm although usually you see external connections. Is that machine fully patched and have you run full virus scans?

That port is also used for AD services, however, so this may be nothing to worry about.

One other quick thing I noticed--you don't have reverse DNS for your mail server:)

As Simon asked, does the traffic stop if you unplug the Internet connection, or does it remain high? It may just be that the server is trying to get itself caught up or that other traffic is being generated on the network:)

0
 

Author Comment

by:Nabilbahr
ID: 12233065
the traffic remains high as i disconnect the cable
0
 

Author Comment

by:Nabilbahr
ID: 12242057
i'm still having that muck traffic, i checked (reverse DNS for my mailserver) and i dissconnected the network cable and that helped me to find out that the traffic is generated from the server itself.
here is a link that shows the most recent connections
ftp://tfitours.com/Connections.txt
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 12243303
Ok, seeing quite a few port 135 connections between your server and other machines--nearly all are within the 64.214.64.0/18 subnet but there are a few outside that netblock.

There is also some IRC traffic hidden in that log as well--could be legitimate but makes me wonder.

Are you getting anything when you run virus scans on the server? The traffic looks suspiciously blaster-like to me, but with the IRC traffic it really makes me worry the machine may be compromised. Is the machine running Windows Server 2003 as well as Exchange 2003 or is it Win 2K?

Here is the Symantec article regarding the latest Blaster variant:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

Simply blocking port 135 inbound/outboud at the firewall may stop many of your issues.

As for the reverse DNS, you need to contact Global Crossing and either have them set up the reverse or delegate authority for your net block down to you.
0
 

Author Comment

by:Nabilbahr
ID: 12282302
i formatted my harddrive Re-installed exchange server from the begining.
installed norton antivirus with most recent updates.
disabled anonymous logins to SMTP server , and Relay
But now i can send email from outlook web access but i can't recieve any mails from the internet (ex from anybody who is using a hotmail account).

before when i allowed anonymous access it worked , but now i'm afraid that i will get 1000's of messages again in my queues, what should i do
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12282695
You have to allow anonymous access. No remote mail server is going to know how to authenticate againist your server, so they will be anonymous connections.
As long as you haven't made significant changes to the SMTP configuration then your machine will not relay - it is relay secure out of the box.
Similarly if you enable user filtering that will stop an NDR attack in its tracks as your server will not allow the message to be sent.

To enable this option:

1. Expand ESM, Message Delivery.
2. Right click on "Message Delivery" and choose Properties.
3. Click on the tab "Recipient Filtering".
4. Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

1. Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
2. Right click on SMTP Virtual Server and choose Properties.
3. Click on "Advanced" next to the IP address on the first tab.
4. With the IP address selected, choose "Edit".
5. Enable "Apply Recipient Filter".
6. Click Apply/OK until clear.

If you have no users connecting to your server to send email with Outlook Express then you can also disable authenticated SMTP relay.

1. Expand ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP.
2. Right click on "Default SMTP Virtual Server" and choose Properties.
3. Click on the "Access Tab" and then the "Relay" button at the bottom.
4. Ensure that "Only the list below" is enabled and there are no servers list.
5. Deselect the next option "Allows all computers which successfully authenticate to relay, regardless of the list above."
6. Click Apply/OK to exit from this option.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12290451
Thanks, it works fine now from outlook web access .
But but not from outlook express
i use exchange server 2003 with windows 2000.
i tried outlook express 6 it wouldn't authenticate
i tries outlook 2003 it cannot log into incoming mail server (pop3)

i checked my pop virtual server properties, access tab, authentication
basic authentication is checked, simple authentication is checked
connection is all except the list below(with empty list)

what can i do?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12292145
If you have rebuilt the Exchange server then have you enabled the POP3 virtual server? It is disabled by default.
If it is enabled can you telnet to port 110 on the Exchange server?

telnet mail.domain.com 110

replacing mail.domain.com with the name of your server.

Simon.
0
 

Author Comment

by:Nabilbahr
ID: 12302396
the problem was solved.
Thank you very much , all the resolutions was very helpfull
Thanks simon, thanks suzan
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
I originally wrote this article to compare SARDU and YUMI, but have now added Easy2Boot, since that is the one I currently use and find the easiest to create and alter.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question