dlloyd37
asked on
1000 messages in my outgoing smtp queue
Hi,
Ok, so my Windows 2003 server/exchange 2003 has been running without issue for a few weeks now since i put it in. However, last night i noticed a lot of messages from a particular user who accesses his mail via OWA and pop3.....they all seemed to be copies of the same messages. It meant that mailflow stopped unitil i deleted them. I also disabled the user account in question and
have not seen a re-occurence of the problem.
I have asked the user to scan their machine for virus/spyware.....
Any more ideas as to what to do with this?
David
Ok, so my Windows 2003 server/exchange 2003 has been running without issue for a few weeks now since i put it in. However, last night i noticed a lot of messages from a particular user who accesses his mail via OWA and pop3.....they all seemed to be copies of the same messages. It meant that mailflow stopped unitil i deleted them. I also disabled the user account in question and
have not seen a re-occurence of the problem.
I have asked the user to scan their machine for virus/spyware.....
Any more ideas as to what to do with this?
David
LeeDerbyshire
It sounds like the user has somehow activated a mass-mailing trojan. See what the virus scan reveals.
ASKER
Exactly what i thought....
However, this user who is in the US (our server is in the UK)has responded with:
I tried to send 2 messages to the whole of my contacts list approx 750 addresses.
I'm sorry its intentional spam but i need to send it. I will expect some of the
addresses will be out of date so i'm expecting some junk back.
These out of date ones i guess bounce back to my server and gets rety status
causing my mail to back up....is this the case and what is the best way to handle
this? Sorry if this is so basic but your thoughts on how to handle this would be great.
I guess the guy is just doing his job as he work in the publishing/marketing section.
How do you think i should handle this anyway?
Wouldn't it be better anyway to have his outgoing mail server set to his own
ISP which is more local anyway? He can then just have his incoming one set to
download from our server..
However, this user who is in the US (our server is in the UK)has responded with:
I tried to send 2 messages to the whole of my contacts list approx 750 addresses.
I'm sorry its intentional spam but i need to send it. I will expect some of the
addresses will be out of date so i'm expecting some junk back.
These out of date ones i guess bounce back to my server and gets rety status
causing my mail to back up....is this the case and what is the best way to handle
this? Sorry if this is so basic but your thoughts on how to handle this would be great.
I guess the guy is just doing his job as he work in the publishing/marketing section.
How do you think i should handle this anyway?
Wouldn't it be better anyway to have his outgoing mail server set to his own
ISP which is more local anyway? He can then just have his incoming one set to
download from our server..
Well, if it's intentional, I wouldn't worry about it. 1000 ~intentional messages isn't a huge amount, but the presence of only 1 unintentional messages would be a cause for concern. If you want to save bandwidth, he could try relaying through his ISP, but it's very likely that they wouldn't allow it. No ISP would want to risk being tagged as a source of spam. The out-of-date addressed ones will disappear in a few days, because the server will eventually give up on them, and return them to the sender.
ASKER
Ok i understand....
But....when he sends these 2 messages to all these people my external email grinds to
a halt...which then affects all the office users, 30 or so, because i have like a 1000+ retries
in the queue and all the legimate mail backs up behind it.
U think i may have an incorrectly configured SMTP connector?
thnx
But....when he sends these 2 messages to all these people my external email grinds to
a halt...which then affects all the office users, 30 or so, because i have like a 1000+ retries
in the queue and all the legimate mail backs up behind it.
U think i may have an incorrectly configured SMTP connector?
thnx
You may want to make your life real easy...
ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/
Get in to the above link and download the tool AQADMCLI.
Create a batch file and add "aqadmcli delmsg flags=SENDER,sender=foo@ba
Here foo@bar.com should be replaced with sender@yourdomain.com.
Run this every time you have an issue with messages stuck in queue, if the sender is postmaster then they are nothing but NDR that are trying to get out of your system. The tool can be configured to delete any or all messages in exchange system manager queue viewer.
Also try and implement sender, recipient and IMF filtering to avoid being hit by spam in future.
Raghu
ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/
Get in to the above link and download the tool AQADMCLI.
Create a batch file and add "aqadmcli delmsg flags=SENDER,sender=foo@ba
Here foo@bar.com should be replaced with sender@yourdomain.com.
Run this every time you have an issue with messages stuck in queue, if the sender is postmaster then they are nothing but NDR that are trying to get out of your system. The tool can be configured to delete any or all messages in exchange system manager queue viewer.
Also try and implement sender, recipient and IMF filtering to avoid being hit by spam in future.
Raghu
It shouldn't be grinding to a halt. It will try each message once every fifteen minutes, then each will go to the back of the queue. New mail should go straight to the front, and shouldn't be held up by old messages. Do you see heavy CPU utilization, or disk activity, with these messages in the queue?
I should agree to Lee's point to an extent, but if you have 1000 messages how can one guess that the messge would go in to freez mode and allow the rest to pass through.
What i have seen is these messages take a lot of your bandwidth and hence choke up the queue.. If these messages need to be sent i would want the user to send in batches depending upon the bandwith and ofcourse how good the server can process.
Raghu
What i have seen is these messages take a lot of your bandwidth and hence choke up the queue.. If these messages need to be sent i would want the user to send in batches depending upon the bandwith and ofcourse how good the server can process.
Raghu
If you look at the messages in the queues, each should show a time when the server is next going to try to deliver it, this suggests to me that the server is not continually trying each one as soon as it has failed. I don't think the queues are strictly FIFO - the ones that failed should make way for the new ones, until it is time for them to be retried once more. I'm just guessing here, though. You will get more accurate statistics from the SMTP performance objects in perfmon.
ASKER
Sorry, been away for a couple of days.....
Ok, i understand what you mean and yes they should make way for new mail but what i'm
seeing is a not what you say should happen. Ok, so they are in a retry state and should make
way for new mail. If i send a message while the queue is in this state it doesn't arrive for a long
time, if at all.....i only waited 20 mins or so. There is no hint of processing/memory usage spikes
either.
When i deleted these messages using system manager, mail flow returned to normal..
David
Ok, i understand what you mean and yes they should make way for new mail but what i'm
seeing is a not what you say should happen. Ok, so they are in a retry state and should make
way for new mail. If i send a message while the queue is in this state it doesn't arrive for a long
time, if at all.....i only waited 20 mins or so. There is no hint of processing/memory usage spikes
either.
When i deleted these messages using system manager, mail flow returned to normal..
David
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.