simon2323
asked on
repeated administrator emails and smtp queue filling up.
ok, i have a bit of a situation here.
my exchange server is continually sending mesages from administrator to adminstrative account (mine) saying your message could not be delivered. i have scanned my pc for viruses and it comes up clean. the smtp queues is filling up with iundeliverable mail, i have had up to 1200 queues. I have no idea how to fix this. At first i thought the emails were coming externally so i turned on recipient filtering as i saw it fixed this problem for someone else but it made no difference.
i have trendmicro scan mail on the server and it constantly show message found from administrator at smtp mailbox, about 5 oer second. these are the non delivery recipts by the look of it.
any ideas? its exchange 20003 running on server 2000.
my exchange server is continually sending mesages from administrator to adminstrative account (mine) saying your message could not be delivered. i have scanned my pc for viruses and it comes up clean. the smtp queues is filling up with iundeliverable mail, i have had up to 1200 queues. I have no idea how to fix this. At first i thought the emails were coming externally so i turned on recipient filtering as i saw it fixed this problem for someone else but it made no difference.
i have trendmicro scan mail on the server and it constantly show message found from administrator at smtp mailbox, about 5 oer second. these are the non delivery recipts by the look of it.
any ideas? its exchange 20003 running on server 2000.
If the messages are NDRs then you could be subject to an NDR attack. This is where messages are sent to non-valid email addresses on purpose. They then bounce to the "sender". Except the sender is also spoofed and is the real person that the spammer wants to send to.
There are some options in Exchange 2003 which will stop those from even being delivered.
http://www.amset.info/exchange/filterunknown.asp
If the emails are going in to the administrator account, then it may also be the administrator account has been compromised. As a precaution I would consider changing the administrator account password as well.
As for clearing the queues there are a number of processes that you can use. These could catch valid emails as well, so you may have to wait until they have been delivered. I have outlined them on my web site:
http://www.amset.info/exchange/spam-cleanup.asp
Simon.
There are some options in Exchange 2003 which will stop those from even being delivered.
http://www.amset.info/exchange/filterunknown.asp
If the emails are going in to the administrator account, then it may also be the administrator account has been compromised. As a precaution I would consider changing the administrator account password as well.
As for clearing the queues there are a number of processes that you can use. These could catch valid emails as well, so you may have to wait until they have been delivered. I have outlined them on my web site:
http://www.amset.info/exchange/spam-cleanup.asp
Simon.
If it is NDR Attack ... and as you running E2k3, you can very well prevent that happening next time.
On the Property of "Message Delivery" go to "Recipient Filtering" and enable the Check box ""Filter Recipients who are not in the Directory"
Apply this Filter on "Default SMTP Virtual Server"
Restart SMTP
and you wont be target of NDR Spam
On the Property of "Message Delivery" go to "Recipient Filtering" and enable the Check box ""Filter Recipients who are not in the Directory"
Apply this Filter on "Default SMTP Virtual Server"
Restart SMTP
and you wont be target of NDR Spam
ASKER
I have checked the filter recipients who are not in the directory. Have read about the open relay and have checked and from what i can tell im not open. have unplugged the server from the lan and the emails are still being generated,. trend micro server protect has detected viruses in the queues but can't remove them? have obviously updated the definitions etc. Administrator account password has been changed. have also installed the microsoft exchange 2003 message filter.
the queues keep filling up even when im not on the net so i can't clear them fast enough, can i rename the folder and replace it with an empty one?
my server is now shutting down intermittently.
this sucks!
the queues keep filling up even when im not on the net so i can't clear them fast enough, can i rename the folder and replace it with an empty one?
my server is now shutting down intermittently.
this sucks!
ASKER
also if i delete the administrators mailbox the come from the "first administrative group"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use Telnet to go to port 25 of your Exchange server and try and send a mail from daffy@loonytoons.com to micky@disney.com
If you are able to successfully send mail from loonytoons to an external domain (try your hotmail or isp account) then your Exchange Server could very well be open to relay.
Please review this article and make sure that your smtp virtual server is locked down.
http://www.winnetmag.com/MicrosoftExchangeOutlook/Articles/ArticleID/44183/pg/2/2.html
The following article is about Exchange 2000 but applies to 2003 as well
http://support.microsoft.com/kb/310380/en-us