• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 873
  • Last Modified:

repeated administrator emails and smtp queue filling up.

ok, i have a bit of a situation here.

my exchange server is continually sending mesages from administrator to adminstrative account (mine) saying your message could not be delivered. i have scanned my pc for viruses and it comes up clean. the smtp queues is filling up with iundeliverable mail, i have had up to 1200 queues. I have no idea how to fix this. At first i thought the emails were coming externally so i turned on recipient filtering as i saw it fixed this problem for someone else but it made no difference.

i have trendmicro scan mail on the server and it constantly show message found from administrator at smtp mailbox, about 5 oer second. these are the non delivery recipts by the look of it.

any ideas? its exchange 20003 running on server 2000.
0
simon2323
Asked:
simon2323
1 Solution
 
munichpostmanCommented:
It sounds as if your exchange server is open relay.

Use Telnet to go to port 25 of your Exchange server and try and send a mail from daffy@loonytoons.com to micky@disney.com
If you are able to successfully send mail from loonytoons to an external domain (try your hotmail or isp account) then your Exchange Server could very well be open to relay.

Please review this article and make sure that your smtp virtual server is locked down.

http://www.winnetmag.com/MicrosoftExchangeOutlook/Articles/ArticleID/44183/pg/2/2.html


The following article is about Exchange 2000 but applies to 2003 as well

http://support.microsoft.com/kb/310380/en-us
0
 
SembeeCommented:
If the messages are NDRs then you could be subject to an NDR attack. This is where messages are sent to non-valid email addresses on purpose. They then bounce to the "sender". Except the sender is also spoofed and is the real person that the spammer wants to send to.
There are some options in Exchange 2003 which will stop those from even being delivered.
http://www.amset.info/exchange/filterunknown.asp

If the emails are going in to the administrator account, then it may also be the administrator account has been compromised. As a precaution I would consider changing the administrator account password as well.
As for clearing the queues there are a number of processes that you can use. These could catch valid emails as well, so you may have to wait until they have been delivered. I have outlined them on my web site:
http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
MaharajkpCommented:
If it is NDR Attack ... and as you running E2k3, you can very well prevent that happening next time.

On the Property of "Message Delivery" go to "Recipient Filtering" and enable the Check box ""Filter Recipients who are not in the Directory"
Apply this Filter on "Default SMTP Virtual Server"
Restart SMTP

and you wont be target of NDR Spam
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
simon2323Author Commented:
I have checked the filter recipients who are not in the directory. Have read about the open relay and have checked and from what i can tell im not open. have unplugged the server from the lan and the emails are still being generated,. trend micro server protect has detected viruses in the queues but can't remove them? have obviously updated the definitions etc. Administrator account password has been changed. have also installed the microsoft exchange 2003 message filter.

the queues keep  filling up even when im not on the net so i can't clear them fast enough, can i rename the folder and replace it with an empty one?

my server is now shutting down intermittently.

this sucks!
0
 
simon2323Author Commented:
also if i delete the administrators mailbox the come from the "first administrative group"
0
 
SembeeCommented:
ESM is not capable of showing all the messages that are in the queue. Therefore if you have been the victim of an authenticated user or NDR attack, then the queues will appear to continue to increase while Exhcnage processes teh messages.
You need to get those queues cleared - there are a couple of techniques, which I have outlined in the second page I linked to above. Once the queues are clear then you can put the machine back on the Internet.

Simon.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now