Solved

repeated administrator emails and smtp queue filling up.

Posted on 2004-10-28
786 Views
Last Modified: 2012-05-05
ok, i have a bit of a situation here.

my exchange server is continually sending mesages from administrator to adminstrative account (mine) saying your message could not be delivered. i have scanned my pc for viruses and it comes up clean. the smtp queues is filling up with iundeliverable mail, i have had up to 1200 queues. I have no idea how to fix this. At first i thought the emails were coming externally so i turned on recipient filtering as i saw it fixed this problem for someone else but it made no difference.

i have trendmicro scan mail on the server and it constantly show message found from administrator at smtp mailbox, about 5 oer second. these are the non delivery recipts by the look of it.

any ideas? its exchange 20003 running on server 2000.
0
Question by:simon2323
    6 Comments
     
    LVL 10

    Expert Comment

    by:munichpostman
    It sounds as if your exchange server is open relay.

    Use Telnet to go to port 25 of your Exchange server and try and send a mail from daffy@loonytoons.com to micky@disney.com
    If you are able to successfully send mail from loonytoons to an external domain (try your hotmail or isp account) then your Exchange Server could very well be open to relay.

    Please review this article and make sure that your smtp virtual server is locked down.

    http://www.winnetmag.com/MicrosoftExchangeOutlook/Articles/ArticleID/44183/pg/2/2.html


    The following article is about Exchange 2000 but applies to 2003 as well

    http://support.microsoft.com/kb/310380/en-us
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    If the messages are NDRs then you could be subject to an NDR attack. This is where messages are sent to non-valid email addresses on purpose. They then bounce to the "sender". Except the sender is also spoofed and is the real person that the spammer wants to send to.
    There are some options in Exchange 2003 which will stop those from even being delivered.
    http://www.amset.info/exchange/filterunknown.asp

    If the emails are going in to the administrator account, then it may also be the administrator account has been compromised. As a precaution I would consider changing the administrator account password as well.
    As for clearing the queues there are a number of processes that you can use. These could catch valid emails as well, so you may have to wait until they have been delivered. I have outlined them on my web site:
    http://www.amset.info/exchange/spam-cleanup.asp

    Simon.
    0
     
    LVL 5

    Expert Comment

    by:Maharajkp
    If it is NDR Attack ... and as you running E2k3, you can very well prevent that happening next time.

    On the Property of "Message Delivery" go to "Recipient Filtering" and enable the Check box ""Filter Recipients who are not in the Directory"
    Apply this Filter on "Default SMTP Virtual Server"
    Restart SMTP

    and you wont be target of NDR Spam
    0
     

    Author Comment

    by:simon2323
    I have checked the filter recipients who are not in the directory. Have read about the open relay and have checked and from what i can tell im not open. have unplugged the server from the lan and the emails are still being generated,. trend micro server protect has detected viruses in the queues but can't remove them? have obviously updated the definitions etc. Administrator account password has been changed. have also installed the microsoft exchange 2003 message filter.

    the queues keep  filling up even when im not on the net so i can't clear them fast enough, can i rename the folder and replace it with an empty one?

    my server is now shutting down intermittently.

    this sucks!
    0
     

    Author Comment

    by:simon2323
    also if i delete the administrators mailbox the come from the "first administrative group"
    0
     
    LVL 104

    Accepted Solution

    by:
    ESM is not capable of showing all the messages that are in the queue. Therefore if you have been the victim of an authenticated user or NDR attack, then the queues will appear to continue to increase while Exhcnage processes teh messages.
    You need to get those queues cleared - there are a couple of techniques, which I have outlined in the second page I linked to above. Once the queues are clear then you can put the machine back on the Internet.

    Simon.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Live - One-on-One Exchange Help from Top Experts

    Solve your toughest problems, fast.
    Exchange experts are online now and ready to help you.

    If you are in the following situation: You have recently migrated from Exchange 2003 to Exchange 2010You have completely uninstalled and decommissioned your old Ex2003Your users are starting to report issues regarding Free/Busy when scheduling appo…
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now