Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SMTP service saturate DSL Internet connection

Posted on 2004-10-24
14
Medium Priority
?
801 Views
Last Modified: 2010-05-19
Hi,

I have an Exchange 2000 Server on which the SMTP service saturate completely the DSL Internet connection.

It means that all computer on the network have a really slow Internet connection.

I've check for spywares and everything is Ok.

I've also installed the SP3  + the Security Roll-Up Package.

The reinstallation of the Service Pack 4 (Windows 2000 Server) does not change anything.

Any idea ?

Regards.

Evolutis
0
Comment
Question by:Evolutis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12394129
Have you looked at the Exchange server to see if there is anything in the queues?
It could be an NDR attack or some other relay attempt. This should be evident on the Exchange server itself.

How did you diagnose that it was Exchange SMTP that was saturating the connection?

Simon.
0
 

Author Comment

by:Evolutis
ID: 12394283
Hi Sembee,

The queue have around 10 e-mails waiting to be sent. The saturation of the bandwith seems to slow down this operation a lot.

I'm sure about the fact that this server is not a relay server but I don't know anything about NDR attacks. I could I protect this server against this kind of attacks (the network is protected by a hardware firewall) ?

I've try to isolate the process saturating the Internet bandwith by using ZoneAlarm (I was first thinking about a spyware), but it didn't works.

After trying to stop Exchange services, I saw that everything came back in a normal way.

After several tries, I've isolate the SMTP service. If this service is stopped, everthing is Ok.

Evolutis
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12394324
If the queue has very little in it, then it might be an email loop. Have you managed to identify whether the SMTP traffic is inbound or outbound?

As for an NDR attack, there isn't anything you can do in Exchange 2000 natively. What you might want to do is look at putting something like GFI Mail Essentials in to the mix. This will sit between the Internet and your Exchange server and can filter the email out.

You might end up having to flush those messages out of the queue and see if things settle down.

Simon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 10

Expert Comment

by:munichpostman
ID: 12394329
Go to the access tab of the SMTP virtual server.
Click on the authentication tab
Which options do you have selected?

Under the relay restrictions tab, which settings do you have?
Also you will need to test that your system is not open to relaying.
kb153119 describes this process.
0
 

Author Comment

by:Evolutis
ID: 12397695
Ok, do you know if I could download 30 days version of GFI Mail Essentials ?

On the Access tab of the SMTP virtual server I have theses options selected :

- Anonymous access
- Basic authentication
- Integrated Windows Authentication

Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12399354
There is a trial version of Mail Essentials available. You could run it for that time and then see if the people who hold the purse strings will let you purchase it. It is one of the most useful utilities you can put on to an Exchange server.

As for the relay restrictions - do you have people sending email from Outlook Express or other POP3/SMTP email clients? If not, then you can disable the "Allow all computers which successfully authenticate..." option.

Simon.
0
 
LVL 10

Expert Comment

by:munichpostman
ID: 12399539


"Relay restricitons have the option "Only the list below" selected without computers in the list. The option "Allow all computer which successfully authenticate to relay, regardless of the list above" is also selected"

There is a known attack which exploits Exchange SMTP Virtual servers which have the above option selected. It could be that someone has cracked one of your passwords and is relaying off your server.

On the Relay restrictions option "only the list below" you should add the ipaddress of systems which you would like to allow to relay off your server.

How does your Exchange Server send mail to the Internet? Does it use a smart host or simply DNS? If it uses a smart host then you should add the ipaddress of the smart host plus any other systems that you would like to use your system as a relay to this list.
0
 

Author Comment

by:Evolutis
ID: 12419167
Hi Sembee and munichpostman,

I've now install GFI Mail Essentials but nothing have changed. I'm also not able to know if the traffic is inbound or outbound.

I've uncheck "Allow all computers which successfully authenticate" in the relay options.

This server should not be used as a Relay server, so what do I have to set in order to be SURE that nobody will use this server as a mail relay.

Only DNS (not Smart Host) is used to send mails.

Evolutis.
0
 

Author Comment

by:Evolutis
ID: 12419204
One more thing, I've use "Network Monitor" and it seems that one external IP address is talking a lot (inbound and outbound traffic) with this server by using the SMTP port.

How could I filter this address in Exchange or Windows in order to test if this IP address is really the responsible ?

Evolutis
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12422739
First - have you done a whois to check who the IP address is assigned to? It might be your own ISP.
I use the tools at Geek Tools: http://www.geektools.com/whois.php

If you have verified that it is not someone you know, you can filter out the traffic using the options in Exchange.

ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on Default SMTP Virtual Server and choose Properties. On the "Access" tab click "Connection". Where it says "Select which computers may access this virtual server", it should be "All except the list below". Click Add and enter the IP address that you wish to block.

Simon.
0
 

Author Comment

by:Evolutis
ID: 12456309
I've add the IP of the suspected address and nothing have changed.

I don't know how to determine if the traffic is inbound or outbound.

What I can see is that around 15 e-mails are waiting for going out for more that one week now and I cannot delete them... If it is an e-mail loop, how can I solve the problem ?

Theses e-mails stay in the queue even if I restart the server... !
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 12456906
If you are sure there are no valid emails in the queue, then there is a technique which you can use to clear the queues right out. Once the queuese have been cleared monitor the server to see if they start to build again. If so then there is still a problem.
The technique is outlined on my web site here: http://www.amset.info/exchange/spam-cleanup.asp 
It will flush every message in the queue so might catch any valid messages that users could send while you are working on it - so make sure that everyone knows not to send any messages.

Its odd that the messages have hung around for a week as emails usually time out after 48 hours. I wonder if it is a loop...

Simon.
0
 

Author Comment

by:Evolutis
ID: 12464510
Sembee,

I've use the tool specified on your web page and all old e-mails have gone.

Since that, Exchange work now normally for around 12 hours (looks like it was an e-mail loop).

I hope the problem will not come back tomorrow morning... ;-)

Thanks a lot for your help.

Evolutis
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12488542
Excellent. Good to hear that it has been cleared.
Cheers for the points.

Simon.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question