Solved

Exchange 2003 Mail Queues....Not Open Relay

Posted on 2004-11-01
5,310 Views
Last Modified: 2012-05-05
I have tested and re-tested my Exchange Server for Open Relay....Everything I have checked says my Server is secure.  If that is the case, Then how do my mail queues keep filling up with junk mail from other domains ????

I have over 1000 Queues, one to AOL with 18000 messages in it, and I have no idea how they got there or where they came from.

Any help would be greatly appreciated.

Parry Sands
0
Question by:pasands
    20 Comments
     
    LVL 1

    Assisted Solution

    by:nwalter
    It sounds like you have an authenticated user sending the junk mail, or rather a virus of some sort on an authenticated users machine.  Take a look at the message headers in the ques and see what info shows up there, try to find out if its a machine on your local network or one outside on the internet.

    Other steps would be to get a packet sniffer loaded on your network and examine the packets being sent to your exchange server.  You should see a username or two show up, when you do try disabling that account in AD.  Once the mail stops you've found which account it was being sent from.  You may have to restart the SMTP service once or twice to force whatever computer is out there to re-authenticate.
    0
     
    LVL 104

    Accepted Solution

    by:
    Could be one of the usual three...

    1. Open relay
    2. Authenticated user
    3. NDR.

    Open relay is easy to test for, there are web sites that do that.

    Authenticated user can be detected by turning up logging.
    If you don't have any users connecting to Exchange with SMTP (Outlook Express etc) then you can disable the ability for an authenticated user to relay.

    NDR attack is where messages are sent to your server with an invalid user on purpose, Exchange bounces them, except the from address is spoofed as well and is the real victim.
    These can be spotted as the addresses in the queues are from either postmaster@ or <>

    Without knowing the Exchange version it is difficult what to recommend. If it is Exchange 200x then I have an article on my web site which will help you identify which one it is and then clear the queues out. Remember that Exchange cannot show all the messages in the queues if the queues are extensive, so it can take a while to flush them out.

    http://www.amset.info/exchange/spam-cleanup.asp

    I doubt whether it is a virus. Most of the mass mailing worms use their own SMTP engine, they don't rely on another one.

    Simon.
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    Oops.. I copied that response from another question which I just answered and realise that you have said which version of Exchange it is. Ignore the comment about not knowing...

    Simon.
    0
     

    Author Comment

    by:pasands
    I went to the website, and followed the steps for checking my server.  Everything appears to be closed to relay, all of the tests from the Web, and using telnet responded with ...Unable to Relay....as they were supposed to...  I went through and checked all of my settings as well, and they look ok.  I deleted the queues, and watched it until about 1 this morning, and it looked ok, but when I checked this morning, the queues we again over 200, and the event logs we filling up as well.

    Here are some samples of what I am getting in the Application Log.  There are literally hundreds in there, but this appears to be a good sample..


    This is an SMTP protocol error log for virtual server ID 1, connection #1. The remote host "207.115.57.16", responded to the SMTP command "rcpt" with "553 5.3.0 <may2254@swbell.net>... Addressee unknown, relay=[My IP Address]  ". The full command sent was "RCPT TO:<may2254@swbell.net>  ".  This will probably cause the connection to fail


    A non-delivery report with a status code of 5.3.0 was generated for recipient rfc822;may2254@swbell.net (Message-ID <LANTZfogkJXrRjbDt3H0000000a@my-domain.com>).  
    Causes: Exchange mistakenly attempted mail delivery to an incorrect MTA route.  
    For more information, click http://www.microsoft.com/contentredirect.asp.    
    Solution: Check your route and topology; use the winroute tool to ensure the routes are properly replicated between servers and routing groups.


    This is an SMTP protocol error log for virtual server ID 1, connection #2. The remote host "207.218.192.49", responded to the SMTP command "rcpt" with "550 unknown user <debvanatta@ev1.net>  ". The full command sent was "RCPT TO:<debvanatta@ev1.net>  ".  This will probably cause the connection to fail.


    This is an SMTP protocol error log for virtual server ID 1, connection #3. The remote host "208.45.133.107", responded to the SMTP command "rcpt" with "550 <pattyjgvox@excite.com>: Recipient address rejected: User unknown in virtual alias table  ". The full command sent was "RCPT TO:<pattyjgvox@excite.com>  ".  This will probably cause the connection to fail.


    A non-delivery report with a status code of 5.3.0 was generated for recipient rfc822;cangy@swbell.net (Message-ID <LANTZIkyPzGNsokLQ8a00000013@my-domain.com>).  
    Causes: Exchange mistakenly attempted mail delivery to an incorrect MTA route.  
    For more information, click http://www.microsoft.com/contentredirect.asp.    
    Solution: Check your route and topology; use the winroute tool to ensure the routes are properly replicated between servers and routing groups.


    This is an SMTP protocol error log for virtual server ID 1, connection #7. The remote host "207.69.200.82", responded to the SMTP command "rcpt" with "550 sfcl494811@mindspring.com...User unknown  ". The full command sent was "RCPT TO:<sfcl494811@mindspring.com>  ".  This will probably cause the connection to fail.


    This is an SMTP protocol warning log for virtual server ID 1, connection #19. The remote host "208.36.123.55", responded to the SMTP command "rcpt" with "450 <sapidlest@att.net>: No thank you rejected: Domain not found  ". The full command sent was "RCPT TO:<jaldal1060@mailcity.com>  ".  This may cause the connection to fail.
    0
     
    LVL 104

    Assisted Solution

    by:Sembee
    That has ruled out open relay.
    Leaves the last two.

    What you are seeing above are NDRs. But for those NDRs to be generated the messages have to be hitting the server.

    Have you got diagnostic logging turned up? That might be generating the messages.

    Couple of things to try.
    If it is an NDR attack then you have a setting you can adjust in Exchange 2003 which will stop those in their tracks. You may have already done it as my article on spam cleanup mentions it. That is to filter out unknown users.
    Try enabling that feature:
    http://www.amset.info/exchange/filterunknown.asp

    It may also be an authenticated user.
    Two things that you need to do.
    1. Have you got message tracking turned on? This may help identify where the messages are coming from, as you can see when they enter your system.
    2. Have you turned up SMTP logging. This is done on the first screen of the SMTP virtual server in ESM. This may also identify the account that is being used.

    Do you have users relaying email through your server as they are using SMTP for delivery? Outlook Express or IMAP users for example? If not then you can disable the authenticated user relay option in Exchange.

    Simon.
    0
     

    Author Comment

    by:pasands
    I turned on logging per the doc on your website...spam-cleanup.html

    Are there more options I need to turn on ?

    I looked at the link in the last post for filtering..I logged into the server and checked, and I do have it configured like that..

    Not real sure how and where to turn on the logging for message tracking, or smpt logging....

    I do have remote users relaying ( authenticated ) through this server froma remote office, so i have to leave that option on.

    0
     
    LVL 104

    Expert Comment

    by:Sembee
    SMTP logging...

    ESM, Admin Groups, <your admin group>, Servers, <your server>, Protocols, SMTP. Right click on <default SMTP virtual server> and choose Properties. SMTP logging is on the first tab. You will need to run it for a little while. Check the properties of the logging to ensure that username is being logged as well.

    This is starting to look like authenticated user, but you need to find which account it is, or ask all of your users to change passwords. This will have to include the administrator account and any test or dormant accounts that you may have.

    Simon.
    0
     

    Author Comment

    by:pasands
    Here is a cut from the SMTP Logging:

    2004-11-03 20:44:29 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 2078 SMTP - - - -
    2004-11-03 20:44:31 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:31 200.121.144.252 creamer LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:32 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:33 200.121.144.252 creamer LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:33 204.127.134.23 OutboundConnectionResponse LANTZ - 25 0 5203 SMTP - - - -
    2004-11-03 20:44:33 204.127.134.23 OutboundConnectionCommand LANTZ - 25 0 5203 SMTP - - - -
    2004-11-03 20:44:35 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 2094 SMTP - - - -
    2004-11-03 20:44:36 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:36 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 80516 SMTP - - - -
    2004-11-03 20:44:36 65.32.1.52 OutboundConnectionCommand LANTZ - 25 0 80516 SMTP - - - -
    2004-11-03 20:44:36 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 80578 SMTP - - - -
    2004-11-03 20:44:36 65.32.1.52 OutboundConnectionCommand LANTZ - 25 0 80578 SMTP - - - -
    2004-11-03 20:44:37 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionResponse LANTZ - 25 0 161812 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionCommand LANTZ - 25 0 161844 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionResponse LANTZ - 25 0 161937 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionCommand LANTZ - 25 0 161937 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionResponse LANTZ - 25 0 161969 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionCommand LANTZ - 25 0 161969 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionResponse LANTZ - 25 0 162000 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionCommand LANTZ - 25 0 162000 SMTP - - - -
    2004-11-03 20:44:39 64.12.138.57 OutboundConnectionResponse LANTZ - 25 0 162062 SMTP - - - -
    2004-11-03 20:44:40 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 2171 SMTP - - - -
    2004-11-03 20:44:40 216.148.227.126 OutboundConnectionResponse LANTZ - 25 0 109 SMTP - - - -
    2004-11-03 20:44:40 216.148.227.126 OutboundConnectionCommand LANTZ - 25 0 125 SMTP - - - -
    2004-11-03 20:44:40 200.121.144.252 creamer LANTZ 192.168.10.10 0 0 3328 SMTP - - - -
    2004-11-03 20:44:40 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 84719 SMTP - - - -
    2004-11-03 20:44:40 65.32.1.52 OutboundConnectionCommand LANTZ - 25 0 84719 SMTP - - - -
    2004-11-03 20:44:40 216.148.227.126 OutboundConnectionResponse LANTZ - 25 0 343 SMTP - - - -
    2004-11-03 20:44:40 216.148.227.126 OutboundConnectionCommand LANTZ - 25 0 343 SMTP - - - -
    2004-11-03 20:44:42 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:42 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:43 200.121.144.252 creamer LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:45 200.121.144.252 creamer LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    2004-11-03 20:44:45 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 89000 SMTP - - - -
    2004-11-03 20:44:45 65.32.1.52 OutboundConnectionCommand LANTZ - 25 0 89000 SMTP - - - -
    2004-11-03 20:44:45 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 89250 SMTP - - - -
    2004-11-03 20:44:46 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 2437 SMTP - - - -
    2004-11-03 20:44:46 216.148.227.126 OutboundConnectionResponse LANTZ - 25 0 5703 SMTP - - - -
    2004-11-03 20:44:46 216.148.227.126 OutboundConnectionCommand LANTZ - 25 0 5703 SMTP - - - -
    2004-11-03 20:44:47 65.32.1.52 OutboundConnectionResponse LANTZ - 25 0 91312 SMTP - - - -
    2004-11-03 20:44:47 65.32.1.52 OutboundConnectionCommand LANTZ - 25 0 91328 SMTP - - - -
    2004-11-03 20:44:47 219.133.133.63 techniques LANTZ 192.168.10.10 0 0 0 SMTP - - - -
    0
     

    Author Comment

    by:pasands
    Here is an additional cut from the log after I added some of the advanced logging options:

    2004-11-03 21:09:53 64.12.138.57 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+OK 0 0 6 0 348782 SMTP - - - -
    2004-11-03 21:09:53 64.12.138.57 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 DATA - - 0 0 4 0 348782 SMTP - - - -
    2004-11-03 21:09:53 64.12.138.57 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 354+START+MAIL+INPUT,+END+WITH+"."+ON+A+LINE+BY+ITSELF 0 0 54 0 348829 SMTP - - - -
    2004-11-03 21:09:55 208.45.133.107 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 550+<vinayakam@mailexcite.com>:+Recipient+address+rejected:+User+unknown+in+virtual+alias+table 0 0 95 0 2562 SMTP - - - -
    2004-11-03 21:09:55 208.45.133.107 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 2562 SMTP - - - -
    2004-11-03 21:09:57 200.121.211.252 hypocrites SMTPSVC1 LANTZ 192.168.10.10 0 MAIL - +FROM:+<thalliumbertie@t-online.de> 250 0 51 39 0 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 220+smtpgate.acsalaska.net+ESMTP+-+hermod.acsalaska.net 0 0 55 0 3125 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 HELO - lantzquest.com 0 0 4 0 3125 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+hermod.acsalaska.net+Hello+mail.lantzquest.com+[204.95.254.218]+(may+be+forged),+pleased+to+meet+you 0 0 104 0 3453 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<evolutionsidiosyncrasies@webtv.net> 0 0 4 0 3453 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+2.1.0+<evolutionsidiosyncrasies@webtv.net>...+Sender+ok 0 0 59 0 4000 SMTP - - - -
    2004-11-03 21:09:59 209.112.183.93 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<jamiea@ptialaska.net> 0 0 4 0 4000 SMTP - - - -
    2004-11-03 21:10:00 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 550+5.0.0+<jamiea@ptialaska.net>...+User+unknown 0 0 48 0 4375 SMTP - - - -
    2004-11-03 21:10:00 209.112.183.93 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 4375 SMTP - - - -
    2004-11-03 21:10:00 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+2.0.0+Reset+state 0 0 21 0 4719 SMTP - - - -
    2004-11-03 21:10:00 209.112.183.93 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 QUIT - - 0 0 4 0 4735 SMTP - - - -
    2004-11-03 21:10:00 200.121.217.114 potlatch SMTPSVC1 LANTZ 192.168.10.10 0 DATA - <LANTZxfE9oh46YiufL000000fc5@lantzquest.com> 250 0 127 819 7562 SMTP - - - -
    2004-11-03 21:10:00 200.121.211.252 hypocrites SMTPSVC1 LANTZ 192.168.10.10 0 RCPT - +TO:<mainer820@yahoo.com> 250 0 32 29 0 SMTP - - - -
    2004-11-03 21:10:00 209.112.183.93 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 221+2.0.0+hermod.acsalaska.net+closing+connection 0 0 49 0 5110 SMTP - - - -
    2004-11-03 21:10:01 200.121.217.114 potlatch SMTPSVC1 LANTZ 192.168.10.10 0 MAIL - +FROM:+<courageouslysayers@swbell.net> 250 0 54 42 0 SMTP - - - -
    2004-11-03 21:10:01 200.121.217.114 potlatch SMTPSVC1 LANTZ 192.168.10.10 0 RCPT - +TO:<vinaykumawat@yahoo.com> 250 0 35 32 0 SMTP - - - -
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    Difficult to tell as I don't know what usernames you have on your site.

    You have said that you have users on another site sending email via your server. Which IP address is that? Can you filter those out? If you have already, please state. I can take a guess which they are, but you need to confirm.

    Simon.
    0
     

    Author Comment

    by:pasands
    I don't see any of my users in here.  I have 2 remote users,  ( Usernames Rita and Jeff ) All of the users that use outlook locally to the server are 1st initial + lastname, and I don't see any of them either....Everything listed here is completely unknown to me.

    Parry
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    What are these addresses?

    209.112.183.93
    64.12.138.57
    200.121.211.252

    Have you already filtered out your local IP addresses, the IP of the other site and anything related to your ISP? If not, do so, it is very difficult to read through the log as I don't know what is valid for your site or not - only you know that.

    Simon.
    0
     

    Author Comment

    by:pasands
    None of these are mine....anything that belongs to me would be 204.95.254.xxx or 209.43.90.xxx and I don't see any of those in there.  Just the private address of 192.168.10.x is the only thing I recognize.

    Parry

    0
     
    LVL 104

    Expert Comment

    by:Sembee
    Do you mind summerising where we are with this? I have re-read the question, but I thought it would be clear for my own mind.

    1. Is filtering turned on to remove unknown users? Both bits (filter and enable filter on the virtual server).
    2. What is the position regarding the relaying settings on the SMTP virtual server? IP addresses or anything else listed?
    3. Are these messages continuing to come in? If so, if you disable relaying completely (ie disable authenticated users as well) do they stop? Need to verify that these aren't coming from inside.

    Simon.
    0
     

    Author Comment

    by:pasands
    1.  Filtering is enabled in both places...checked and double checked..

    2.  Only the list below is checked, and the list is empty....

    The messages are still coming in...

    3.  I am going to disable relay for authenticated users now, and then log some more...I will post those results later...

    Parry

    0
     

    Author Comment

    by:pasands
    I disabled relaying completely, including authenticated users......I then turned on logging....and I am still getting the same thing.....here is a cut from the log:

    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2004-11-04 02:16:41
    #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
    2004-11-04 02:16:41 65.126.9.75 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 421+4.0.0+BUSAFW.Berettausa.com+Server+error 0 0 44 0 125 SMTP - - - -
    2004-11-04 02:16:41 65.126.9.75 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 QUIT - - 0 0 4 0 141 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 220+spf6.us4.outblaze.com+ESMTP+Postfix 0 0 39 0 250 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 HELO - lantzquest.com 0 0 4 0 250 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+spf6.us4.outblaze.com 0 0 25 0 328 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<croftblair@excite.com> 0 0 4 0 328 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 406 SMTP - - - -
    2004-11-04 02:16:41 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<asibasara98@mail.com> 0 0 4 0 406 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 550+<asibasara98@mail.com>:+User+unknown 0 0 40 0 1641 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 1641 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 1719 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 1750 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 1812 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<mechanistahmadabad@webtv.net> 0 0 4 0 1812 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 1891 SMTP - - - -
    2004-11-04 02:16:43 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<asibasode@mail.com> 0 0 4 0 1891 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 550+<asibasode@mail.com>:+User+unknown 0 0 38 0 2984 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 2984 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 3062 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 3062 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 3141 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<postconditionevaporation@hanmail.net> 0 0 4 0 3141 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 3219 SMTP - - - -
    2004-11-04 02:16:44 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<asibathetic@mail.com> 0 0 4 0 3219 SMTP - - - -
    2004-11-04 02:16:46 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 550+<asibathetic@mail.com>:+User+unknown 0 0 40 0 4312 SMTP - - - -
    2004-11-04 02:16:46 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RSET - - 0 0 4 0 4312 SMTP - - - -
    2004-11-04 02:16:46 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+Ok 0 0 6 0 4391 SMTP - - - -
    2004-11-04 02:16:46 205.158.62.33 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 QUIT - - 0 0 4 0 4422 SMTP - - - -
    2004-11-04 02:16:46 205.158.62.33 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 221+Bye 0 0 7 0 4500 SMTP - - - -
    2004-11-04 02:17:05 211.150.124.34 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 HELO - +209.43.90.134 250 0 43 18 0 SMTP - - - -
    2004-11-04 02:17:05 211.150.124.34 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 MAIL - +FROM:+<7suggestible@arremate.com.br> 250 0 53 41 0 SMTP - - - -
    2004-11-04 02:17:05 211.150.124.34 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 RCPT - +TO:+<info@lantzquest.com> 250 0 0 30 16 SMTP - - - -
    2004-11-04 02:17:10 211.150.124.34 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 DATA - <LANTZqd6pnOLq3XWsTZ00001b98@lantzquest.com> 250 0 127 924 3032 SMTP - - - -
    2004-11-04 02:17:12 211.150.124.34 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 QUIT - 209.43.90.134 240 9640 63 4 0 SMTP - - - -
    2004-11-04 02:17:51 220.163.26.33 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 HELO - +209.43.90.134 250 0 42 18 0 SMTP - - - -
    2004-11-04 02:17:52 220.163.26.33 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 MAIL - +FROM:+<qhillclrg@justicemail.com> 250 0 50 38 0 SMTP - - - -
    2004-11-04 02:17:53 220.163.26.33 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 RCPT - +TO:+<mike@lantzquest.com> 250 0 0 30 0 SMTP - - - -
    2004-11-04 02:17:58 220.163.26.33 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 DATA - +<ORGGVSUBQKBWHBVDNGRYNCUEL@yahoo.ie> 250 0 120 2915 3046 SMTP - - - -
    2004-11-04 02:17:59 220.163.26.33 209.43.90.134 SMTPSVC1 LANTZ 192.168.10.10 0 QUIT - 209.43.90.134 240 11891 63 4 0 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 220+flmx06.mgw.rr.com+ESMTP+Welcome+to+Road+Runner.++NO+UCE+***+FOR+AUTHORIZED+USE+ONLY!+*** 0 0 92 0 95828 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 HELO - lantzquest.com 0 0 4 0 95828 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+flmx06.mgw.rr.com+Hello+[204.95.254.218],+pleased+to+meet+you 0 0 65 0 95890 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<explosivelyblackfeet@hanmail.net> 0 0 4 0 95890 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+2.1.0+<explosivelyblackfeet@hanmail.net>...+Sender+ok 0 0 57 0 96031 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<darline124@cfl.rr.com> 0 0 4 0 96031 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+2.1.5+<darline124@cfl.rr.com>...+Recipient+ok 0 0 49 0 96203 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 DATA - - 0 0 4 0 96203 SMTP - - - -
    2004-11-04 02:18:02 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 354+Enter+mail,+end+with+"."+on+a+line+by+itself 0 0 48 0 96250 SMTP - - - -
    2004-11-04 02:18:04 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+2.0.0+iA42LLW3025747+Message+accepted+for+delivery 0 0 54 0 98062 SMTP - - - -
    2004-11-04 02:18:04 65.32.1.52 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 QUIT - - 0 0 4 0 98078 SMTP - - - -
    2004-11-04 02:18:04 65.32.1.52 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 221+2.0.0+flmx06.mgw.rr.com+closing+connection 0 0 46 0 98125 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 220+mail.phoenix.speedchoice.com+ESMTP 0 0 38 0 156 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 HELO - lantzquest.com 0 0 4 0 156 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+mail.phoenix.speedchoice.com 0 0 32 0 218 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 MAIL - FROM:<5thexciting@ntlworld.com> 0 0 4 0 218 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+ok 0 0 6 0 281 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 RCPT - TO:<ntumlin@speedchoice.com> 0 0 4 0 281 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 250+ok 0 0 6 0 359 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 DATA - - 0 0 4 0 359 SMTP - - - -
    2004-11-04 02:18:07 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 354+go+ahead 0 0 12 0 421 SMTP - - - -
    2004-11-04 02:18:09 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 451+qq+write+error+or+disk+full+(#4.3.0) 0 0 40 0 1843 SMTP - - - -
    2004-11-04 02:18:09 24.221.37.181 OutboundConnectionCommand SMTPSVC1 LANTZ - 25 QUIT - - 0 0 4 0 1843 SMTP - - - -
    2004-11-04 02:18:09 24.221.37.181 OutboundConnectionResponse SMTPSVC1 LANTZ - 25 - - 221+mail.phoenix.speedchoice.com 0 0 32 0 1906 SMTP - - - -
    2004-11-04 02:19:01 24.159.180.149 myl-c-24-159-180-149.chartertn.net SMTPSVC1 LANTZ 192.168.10.10 0 HELO - +myl-c-24-159-180-149.chartertn.net 250 0 43 39 62 SMTP - - - -
    0
     
    LVL 104

    Assisted Solution

    by:Sembee
    Is your domain "lantzquest.com"?

    If so, the log looks like it is solid outbound requests. There are very few inbound emails in there, and most of them mention "lantzquest.com".

    I would consider flushing the queues out with the current configuration and see if the queues build.

    Simon.
    0
     

    Author Comment

    by:pasands
    Yes, that is the domain....I flushed them late last night, and the night before, and they keep filling back up..

    Right now, there are 140 Queues....and a few thousand messages....

    I am stumped right now.....
    0
     
    LVL 104

    Assisted Solution

    by:Sembee
    It does take a while to flush them out.
    For example, if you clear the queues, then disconnect the server from the Internet - do the queues continue to build? Exchange is very poor at showing mutiple queues, it cannot cope with very high numbers so they can take some time to show up and clear. Using the process I outlined I had to repeat it about 20 times for one client before it was completely clear.

    Otherwise we have to start considering that the traffic is coming from inside...

    Simon.
    0
     

    Author Comment

    by:pasands
    Nothing seemed to fix the problem.  I don't know if it is something with the install, or what, but none of the suggestions worked.  Most of them I already had in place during the initial install, but it never hurts to double check just in case.

    Ultimately, here is what I have done to this point, and it seems to be working really well.  In Exchange System Manager, I went to Servers, ( Pick The Server ), Protocols, SMTP, Default Virt. Server.....Properties, then the Access Tab....and then the connection buton.

    From here the All Except the List Below should be selected....

    Then I went through all of my Logs, and collected IP Addresses of all incoming connections....If I thought they were shady, I looked them up at Arin...If they were from Overseas I added them to the list....Usually the whole net block, not just the actual IP....Currently I have a list that is 20 entries or so long, but it appears to be making all of the difference in the world....

    Thanks to all who helped...

    Parry


    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Shellfire Box VPN + Lifetime Subscription

    The Shellfire Box easily connects all of your devices, even those that don't offer the possibility to establish a safe vpn connection. Access blocked content and surf safely, no matter where in the world you are located.

    Today preventing spam is more important than ever. A lot of script kiddies and other deviants would be severe headache and cause disruption to your Exchange, or simply just leverage it to send copious amounts of spam. Supposing that your Exchange…
    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

    934 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now