repeated administrator emails and smtp queue filling up.

ok, i have a bit of a situation here.

my exchange server is continually sending mesages from administrator to adminstrative account (mine) saying your message could not be delivered. i have scanned my pc for viruses and it comes up clean. the smtp queues is filling up with iundeliverable mail, i have had up to 1200 queues. I have no idea how to fix this. At first i thought the emails were coming externally so i turned on recipient filtering as i saw it fixed this problem for someone else but it made no difference.

i have trendmicro scan mail on the server and it constantly show message found from administrator at smtp mailbox, about 5 oer second. these are the non delivery recipts by the look of it.

any ideas? its exchange 20003 running on server 2000.
simon2323Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

munichpostmanCommented:
It sounds as if your exchange server is open relay.

Use Telnet to go to port 25 of your Exchange server and try and send a mail from daffy@loonytoons.com to micky@disney.com
If you are able to successfully send mail from loonytoons to an external domain (try your hotmail or isp account) then your Exchange Server could very well be open to relay.

Please review this article and make sure that your smtp virtual server is locked down.

http://www.winnetmag.com/MicrosoftExchangeOutlook/Articles/ArticleID/44183/pg/2/2.html


The following article is about Exchange 2000 but applies to 2003 as well

http://support.microsoft.com/kb/310380/en-us
0
SembeeCommented:
If the messages are NDRs then you could be subject to an NDR attack. This is where messages are sent to non-valid email addresses on purpose. They then bounce to the "sender". Except the sender is also spoofed and is the real person that the spammer wants to send to.
There are some options in Exchange 2003 which will stop those from even being delivered.
http://www.amset.info/exchange/filterunknown.asp

If the emails are going in to the administrator account, then it may also be the administrator account has been compromised. As a precaution I would consider changing the administrator account password as well.
As for clearing the queues there are a number of processes that you can use. These could catch valid emails as well, so you may have to wait until they have been delivered. I have outlined them on my web site:
http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
MaharajkpCommented:
If it is NDR Attack ... and as you running E2k3, you can very well prevent that happening next time.

On the Property of "Message Delivery" go to "Recipient Filtering" and enable the Check box ""Filter Recipients who are not in the Directory"
Apply this Filter on "Default SMTP Virtual Server"
Restart SMTP

and you wont be target of NDR Spam
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

simon2323Author Commented:
I have checked the filter recipients who are not in the directory. Have read about the open relay and have checked and from what i can tell im not open. have unplugged the server from the lan and the emails are still being generated,. trend micro server protect has detected viruses in the queues but can't remove them? have obviously updated the definitions etc. Administrator account password has been changed. have also installed the microsoft exchange 2003 message filter.

the queues keep  filling up even when im not on the net so i can't clear them fast enough, can i rename the folder and replace it with an empty one?

my server is now shutting down intermittently.

this sucks!
0
simon2323Author Commented:
also if i delete the administrators mailbox the come from the "first administrative group"
0
SembeeCommented:
ESM is not capable of showing all the messages that are in the queue. Therefore if you have been the victim of an authenticated user or NDR attack, then the queues will appear to continue to increase while Exhcnage processes teh messages.
You need to get those queues cleared - there are a couple of techniques, which I have outlined in the second page I linked to above. Once the queues are clear then you can put the machine back on the Internet.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.