SMTP service saturate DSL Internet connection

Hi,

I have an Exchange 2000 Server on which the SMTP service saturate completely the DSL Internet connection.

It means that all computer on the network have a really slow Internet connection.

I've check for spywares and everything is Ok.

I've also installed the SP3  + the Security Roll-Up Package.

The reinstallation of the Service Pack 4 (Windows 2000 Server) does not change anything.

Any idea ?

Regards.

Evolutis
EvolutisAsked:
Who is Participating?
 
SembeeCommented:
If you are sure there are no valid emails in the queue, then there is a technique which you can use to clear the queues right out. Once the queuese have been cleared monitor the server to see if they start to build again. If so then there is still a problem.
The technique is outlined on my web site here: http://www.amset.info/exchange/spam-cleanup.asp 
It will flush every message in the queue so might catch any valid messages that users could send while you are working on it - so make sure that everyone knows not to send any messages.

Its odd that the messages have hung around for a week as emails usually time out after 48 hours. I wonder if it is a loop...

Simon.
0
 
SembeeCommented:
Have you looked at the Exchange server to see if there is anything in the queues?
It could be an NDR attack or some other relay attempt. This should be evident on the Exchange server itself.

How did you diagnose that it was Exchange SMTP that was saturating the connection?

Simon.
0
 
EvolutisAuthor Commented:
Hi Sembee,

The queue have around 10 e-mails waiting to be sent. The saturation of the bandwith seems to slow down this operation a lot.

I'm sure about the fact that this server is not a relay server but I don't know anything about NDR attacks. I could I protect this server against this kind of attacks (the network is protected by a hardware firewall) ?

I've try to isolate the process saturating the Internet bandwith by using ZoneAlarm (I was first thinking about a spyware), but it didn't works.

After trying to stop Exchange services, I saw that everything came back in a normal way.

After several tries, I've isolate the SMTP service. If this service is stopped, everthing is Ok.

Evolutis
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
SembeeCommented:
If the queue has very little in it, then it might be an email loop. Have you managed to identify whether the SMTP traffic is inbound or outbound?

As for an NDR attack, there isn't anything you can do in Exchange 2000 natively. What you might want to do is look at putting something like GFI Mail Essentials in to the mix. This will sit between the Internet and your Exchange server and can filter the email out.

You might end up having to flush those messages out of the queue and see if things settle down.

Simon.
0
 
munichpostmanCommented:
Go to the access tab of the SMTP virtual server.
Click on the authentication tab
Which options do you have selected?

Under the relay restrictions tab, which settings do you have?
Also you will need to test that your system is not open to relaying.
kb153119 describes this process.
0
 
EvolutisAuthor Commented:
Ok, do you know if I could download 30 days version of GFI Mail Essentials ?

On the Access tab of the SMTP virtual server I have theses options selected :

- Anonymous access
- Basic authentication
- Integrated Windows Authentication

Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected.
0
 
SembeeCommented:
There is a trial version of Mail Essentials available. You could run it for that time and then see if the people who hold the purse strings will let you purchase it. It is one of the most useful utilities you can put on to an Exchange server.

As for the relay restrictions - do you have people sending email from Outlook Express or other POP3/SMTP email clients? If not, then you can disable the "Allow all computers which successfully authenticate..." option.

Simon.
0
 
munichpostmanCommented:


"Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected"

There is a known attack which exploits Exchange SMTP Virtual servers which have the above option selected. It could be that someone has cracked one of your passwords and is relaying off your server.

On the Relay restrictions option "only the list below" you should add the ipaddress of systems which you would like to allow to relay off your server.

How does your Exchange Server send mail to the Internet? Does it use a smart host or simply DNS? If it uses a smart host then you should add the ipaddress of the smart host plus any other systems that you would like to use your system as a relay to this list.
0
 
EvolutisAuthor Commented:
Hi Sembee and munichpostman,

I've now install GFI Mail Essentials but nothing have changed. I'm also not able to know if the traffic is inbound or outbound.

I've uncheck "Allow all computers which successfully authenticate" in the relay options.

This server should not be used as a Relay server, so what do I have to set in order to be SURE that nobody will use this server as a mail relay.

Only DNS (not Smart Host) is used to send mails.

Evolutis.
0
 
EvolutisAuthor Commented:
One more thing, I've use "Network Monitor" and it seems that one external IP address is talking a lot (inbound and outbound traffic) with this server by using the SMTP port.

How could I filter this address in Exchange or Windows in order to test if this IP address is really the responsible ?

Evolutis
0
 
SembeeCommented:
First - have you done a whois to check who the IP address is assigned to? It might be your own ISP.
I use the tools at Geek Tools: http://www.geektools.com/whois.php

If you have verified that it is not someone you know, you can filter out the traffic using the options in Exchange.

ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on Default SMTP Virtual Server and choose Properties. On the "Access" tab click "Connection". Where it says "Select which computers may access this virtual server", it should be "All except the list below". Click Add and enter the IP address that you wish to block.

Simon.
0
 
EvolutisAuthor Commented:
I've add the IP of the suspected address and nothing have changed.

I don't know how to determine if the traffic is inbound or outbound.

What I can see is that around 15 e-mails are waiting for going out for more that one week now and I cannot delete them... If it is an e-mail loop, how can I solve the problem ?

Theses e-mails stay in the queue even if I restart the server... !
0
 
EvolutisAuthor Commented:
Sembee,

I've use the tool specified on your web page and all old e-mails have gone.

Since that, Exchange work now normally for around 12 hours (looks like it was an e-mail loop).

I hope the problem will not come back tomorrow morning... ;-)

Thanks a lot for your help.

Evolutis
0
 
SembeeCommented:
Excellent. Good to hear that it has been cleared.
Cheers for the points.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.