Exchange Server SMTP connections

In exchange system manager, i see many connections in Current Sessions for 100 to 500+ seconds... i was told that i shouldn't worry about that....

Is that right???  if someone is connecting for over 500+ seconds, doesn't that indicate that my mailserver is being abused by someone ??? please tell me...

use the following screenshot if need be
http://upload.jibranilyas.com/files/smtp.JPG

In exchange system manager, please browse to

Administrative Groups
 -- [Domain Name]
  -- Servers
   -- [Server Name]
    -- Protocols
     --SMTP
      --Default SMTP Virtual Server
       --Current Sessions

and plz tell me if multiple connectiongs in the  "Current Sessions"  is oK
jibranilyasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jonesy2kCommented:
It's not necesarily a problem at all, it's more likely that either your link, their link, or both is slow, and when relatively large emails come through, they take quite a while.
Check out connection speeds and how big the offending emails are...
Jonesy
SembeeCommented:
The connections in the screenshot are inbound.
Do you recognise the domains as ones that you regularly communicate with?

If not, then it could be spam messages. The servers that spammers use are not always configured correctly and could cause problems.
The key thing is what are your queues like. If the server is being abused it will usually show in the queues as there will be a high number of non-delivery or queued messages showing. Spammers lists aren't never very clean so will have lots of garbage addresses.

Simon.
jibranilyasAuthor Commented:
so the addresses that i see in those connections are the server that are sending me spam emails? I thought someone was relaying the mails through our server... is there a way to check for relaying attempts?


also, my quenues are quite large...

http://upload.jibranilyas.com/files/quenue.JPG

is 545 items in the quenue alarming?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jibranilyasAuthor Commented:
sembee, i don't recognize those domains... they end with foreign suffixes..
SembeeCommented:
Oh dear.
That doesn't look good.
Either you are an open relay, or under authenticated user or NDR attack.

Take a look at my web site http://www.amset.info/exchange/spam-cleanup.asp

I have outlined how to clear the queues and secure your server.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jibranilyasAuthor Commented:
i was at this website earlier.. didn't know it was yours...

i tried sending an email thru relay from a remote machine (my home machine thru remote desktop)

i even saw the SMTP connection on my system manager.. but it died in abt 400 seconds


i get the 220 msg
and then i typed the following
helo mein.com

which gave me
250 mydomainname.com Hello [myipaddress]

then i type in

mail from:jay@mein.com

after 3-4 mins, i got this... ( i did that 4 times;;; same result)
Connection to host lost.

Press any key to continue...

---

so, is it still relaying?
jibranilyasAuthor Commented:
http://www.amset.info/exchange/filterunknown.asp

should i apply the things you mentioned at the above url?
jibranilyasAuthor Commented:
i did the zone edit test also

SMTP Connection:
OK, connected to [mydomain].com...
< 220 **********************************************************************************0*2******************************200***2*02*0***0*00
> HELO edit.dnsvr.com
< 250 xxx.[mydomain]..com Hello [69.72.176.188]
> MAIL FROM:<imp@[emaildomain].com>
< 250 2.1.0 imp@[emaildomain].com....Sender OK
> RCPT TO:<jxxx@hotmail.com>
< 550 5.7.1 Unable to relay for jxxx@hotmail.com

SembeeCommented:
The things in the second URL are a good thing to do.

However.
You have a PIX. Am I right?

If so, turn off the Mailguard feature. FIXUP SMTP is another name. That can cause problems which is why you are getting that
odd SMTP header.

Doesn't sound like it is relaying, so it might be an NDR attack.
Get your queues clear first, then you can start further investigations.

Simon.
jibranilyasAuthor Commented:
yes, i do have a PIX...

i do have this line in my conf.
fixup protocol smtp 25

can u plz tell me whats the odd smtp header in my post....
---

ya, i m sure its not relaying...

applying the procedures in that url will disable the "mail failure notice" right ??    if i misspell my address i won't get any email saying that it was undeliverable right?


i will now check for authenticated user attack from this url
http://www.amset.info/exchange/spam-cleanup.asp

and then report here before clearing my queues
SembeeCommented:
This line:

***********************************2*******0*********************

It should be something like this:

220 IGR-IMC-02.redmond.corp.microsoft.com Microsoft ESMTP MAIL Service, Version:
 6.0.3790.1830 ready at  Wed, 6 Jul 2005 12:05:26 -0700

The former can cause problems with remote servers. They don't like it.

Simon.
jibranilyasAuthor Commented:
After i turned logging for SMTP protocol. I got three 7002 messages and three 7004 messages in the event viewer.
e.g.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:                      7002
Date:            7/6/2005
Time:            2:05:59 PM
User:            N/A
Computer:                      [computer name]
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #6. The remote host "195.8.99.94", responded to the SMTP command "rcpt" with "450 <r.pagan@gratka.pl>: Recipient address rejected: User unknown in local recipient table  ". The full command sent was "RCPT TO:<r.pagan@gratka.pl>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

***************************************************************************

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:                      7004
Date:            7/6/2005
Time:            2:05:38 PM
User:            N/A
Computer:                       [computer name]
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #2. The remote host "205.234.172.68", responded to the SMTP command "rcpt" with "511 sorry, no mailbox here by that name (#5.1.1 - chkuser)  ". The full command sent was "RCPT TO:<Jimmie@keveney.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

SembeeCommented:
Those are standard non existent user messages being generated by the remote servers.

If you don't recognise the domains then it looks like you are sending out email that you have no knowledge of - NDR, Authorised user or plain relaying.

Simon.
jibranilyasAuthor Commented:
can we say it passed the authorized user test if it didn't generate the 1708 entry in the event viewer?

Relaying is denied ---
> HELO edit.dnsvr.com
< 250 xxx.[mydomain]..com Hello [69.72.176.188]
> MAIL FROM:<imp@[emaildomain].com>
< 250 2.1.0 imp@[emaildomain].com....Sender OK
> RCPT TO:<jxxx@hotmail.com>
< 550 5.7.1 Unable to relay for jxxx@hotmail.com


and i just applied the following fixes to avoid an NDR attack...

Expand ESM, Message Delivery.
Right click on "Message Delivery" and choose Properties.
Click on the tab "Recipient Filtering".
Enable the option "Filter Recipients who are not in the directory."
You then need to enable the Recipient Filter on the SMTP Server.
-------------------------------------------------------------------------------
Still in ESM, Expand Admin Groups, <your admin groups>, Server, <your server>, Protocols, SMTP.
Right click on SMTP Virtual Server and choose Properties.
Click on "Advanced" next to the IP address on the first tab.
With the IP address selected, choose "Edit".
Enable "Apply Recipient Filter".
Click Apply/OK until clear.


I will tell you about my queue in half an hour... hopefully it will come down..
jibranilyasAuthor Commented:
Simon,

there is a typo on this page
http://www.amset.info/exchange/spam-cleanup.asp

Type the following command in to the telnet windows:

ehlo testdomain.com      < --------------

and press enter (note "testdomain.com" can be anything that isn't a domain that the Exchange server is responsible for
SembeeCommented:
That is not a typo.

There are two forms of SMTP, helo and ehlo . The second one is an enhanced version of SMTP which Exchange supports.

Simon.
jibranilyasAuthor Commented:
oh ok... i m sorry...

ehlo wasn't working on mine... anyway,, thanks for your help so far.

my queue is 521 now...   (from 545) 2 hours ago
jibranilyasAuthor Commented:
queue is 355 today

i guess the fixes on the following url is helping
http://www.amset.info/exchange/filterunknown.asp


SembeeCommented:
The messages will naturally expire. If you have blocked all the gaps,
then the message number will go down.
You could try turning down the retry time on the SMTP Virtual Server.
That might speed things up.

Simon.
jibranilyasAuthor Commented:
true...

its 283 now

i just turned down the retry time to 2 mins... for first to third retries...

thanks so much .... your website has very very clear instructions.
SembeeCommented:
Don't forget to turn it back up, otherwise you will get a lot of legitmate bounce emails.

Simon.
jibranilyasAuthor Commented:
gotcha
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.