Solved

SMTP service saturate DSL Internet connection

Posted on 2004-10-24
778 Views
Last Modified: 2010-05-19
Hi,

I have an Exchange 2000 Server on which the SMTP service saturate completely the DSL Internet connection.

It means that all computer on the network have a really slow Internet connection.

I've check for spywares and everything is Ok.

I've also installed the SP3  + the Security Roll-Up Package.

The reinstallation of the Service Pack 4 (Windows 2000 Server) does not change anything.

Any idea ?

Regards.

Evolutis
0
Question by:Evolutis
    14 Comments
     
    LVL 104

    Expert Comment

    by:Sembee
    Have you looked at the Exchange server to see if there is anything in the queues?
    It could be an NDR attack or some other relay attempt. This should be evident on the Exchange server itself.

    How did you diagnose that it was Exchange SMTP that was saturating the connection?

    Simon.
    0
     

    Author Comment

    by:Evolutis
    Hi Sembee,

    The queue have around 10 e-mails waiting to be sent. The saturation of the bandwith seems to slow down this operation a lot.

    I'm sure about the fact that this server is not a relay server but I don't know anything about NDR attacks. I could I protect this server against this kind of attacks (the network is protected by a hardware firewall) ?

    I've try to isolate the process saturating the Internet bandwith by using ZoneAlarm (I was first thinking about a spyware), but it didn't works.

    After trying to stop Exchange services, I saw that everything came back in a normal way.

    After several tries, I've isolate the SMTP service. If this service is stopped, everthing is Ok.

    Evolutis
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    If the queue has very little in it, then it might be an email loop. Have you managed to identify whether the SMTP traffic is inbound or outbound?

    As for an NDR attack, there isn't anything you can do in Exchange 2000 natively. What you might want to do is look at putting something like GFI Mail Essentials in to the mix. This will sit between the Internet and your Exchange server and can filter the email out.

    You might end up having to flush those messages out of the queue and see if things settle down.

    Simon.
    0
     
    LVL 10

    Expert Comment

    by:munichpostman
    Go to the access tab of the SMTP virtual server.
    Click on the authentication tab
    Which options do you have selected?

    Under the relay restrictions tab, which settings do you have?
    Also you will need to test that your system is not open to relaying.
    kb153119 describes this process.
    0
     

    Author Comment

    by:Evolutis
    Ok, do you know if I could download 30 days version of GFI Mail Essentials ?

    On the Access tab of the SMTP virtual server I have theses options selected :

    - Anonymous access
    - Basic authentication
    - Integrated Windows Authentication

    Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected.
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    There is a trial version of Mail Essentials available. You could run it for that time and then see if the people who hold the purse strings will let you purchase it. It is one of the most useful utilities you can put on to an Exchange server.

    As for the relay restrictions - do you have people sending email from Outlook Express or other POP3/SMTP email clients? If not, then you can disable the "Allow all computers which successfully authenticate..." option.

    Simon.
    0
     
    LVL 10

    Expert Comment

    by:munichpostman


    "Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected"

    There is a known attack which exploits Exchange SMTP Virtual servers which have the above option selected. It could be that someone has cracked one of your passwords and is relaying off your server.

    On the Relay restrictions option "only the list below" you should add the ipaddress of systems which you would like to allow to relay off your server.

    How does your Exchange Server send mail to the Internet? Does it use a smart host or simply DNS? If it uses a smart host then you should add the ipaddress of the smart host plus any other systems that you would like to use your system as a relay to this list.
    0
     

    Author Comment

    by:Evolutis
    Hi Sembee and munichpostman,

    I've now install GFI Mail Essentials but nothing have changed. I'm also not able to know if the traffic is inbound or outbound.

    I've uncheck "Allow all computers which successfully authenticate" in the relay options.

    This server should not be used as a Relay server, so what do I have to set in order to be SURE that nobody will use this server as a mail relay.

    Only DNS (not Smart Host) is used to send mails.

    Evolutis.
    0
     

    Author Comment

    by:Evolutis
    One more thing, I've use "Network Monitor" and it seems that one external IP address is talking a lot (inbound and outbound traffic) with this server by using the SMTP port.

    How could I filter this address in Exchange or Windows in order to test if this IP address is really the responsible ?

    Evolutis
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    First - have you done a whois to check who the IP address is assigned to? It might be your own ISP.
    I use the tools at Geek Tools: http://www.geektools.com/whois.php

    If you have verified that it is not someone you know, you can filter out the traffic using the options in Exchange.

    ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on Default SMTP Virtual Server and choose Properties. On the "Access" tab click "Connection". Where it says "Select which computers may access this virtual server", it should be "All except the list below". Click Add and enter the IP address that you wish to block.

    Simon.
    0
     

    Author Comment

    by:Evolutis
    I've add the IP of the suspected address and nothing have changed.

    I don't know how to determine if the traffic is inbound or outbound.

    What I can see is that around 15 e-mails are waiting for going out for more that one week now and I cannot delete them... If it is an e-mail loop, how can I solve the problem ?

    Theses e-mails stay in the queue even if I restart the server... !
    0
     
    LVL 104

    Accepted Solution

    by:
    If you are sure there are no valid emails in the queue, then there is a technique which you can use to clear the queues right out. Once the queuese have been cleared monitor the server to see if they start to build again. If so then there is still a problem.
    The technique is outlined on my web site here: http://www.amset.info/exchange/spam-cleanup.asp
    It will flush every message in the queue so might catch any valid messages that users could send while you are working on it - so make sure that everyone knows not to send any messages.

    Its odd that the messages have hung around for a week as emails usually time out after 48 hours. I wonder if it is a loop...

    Simon.
    0
     

    Author Comment

    by:Evolutis
    Sembee,

    I've use the tool specified on your web page and all old e-mails have gone.

    Since that, Exchange work now normally for around 12 hours (looks like it was an e-mail loop).

    I hope the problem will not come back tomorrow morning... ;-)

    Thanks a lot for your help.

    Evolutis
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    Excellent. Good to hear that it has been cleared.
    Cheers for the points.

    Simon.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now