Solved

Open email Relay, Email storm even when NO internet, wrong diagnosis?

Posted on 2006-06-20
4
233 Views
Last Modified: 2010-03-06
Hi,
Quick overview.

350 to 900 new rubbish emails are being generated on my exchange 2003 server which is patched up to date.
I used 3 different open relay tests that all returned a negative on the relay test.  
4 different antivirus companies couldn't find any email sending virus on the system.
After disconnecting the internet - just one donaim controller connected to the exchange box through a switch - still observing 350 to 900 new emails per minute.
We have a satelite connection to the web with a 33.6K modem as a return path.

I now discover an open relay function is happening 12 days after first discovering the email storm. Possibly because the Exchange server didn't return the test email in the alloted time for the open relay test. I manually telneted into the front end of the exchange server and manually setup an email with the SMTP commands.

If this is all the whole issue is about - how come I continued to observe 350 to 900 emails per minute being added to the outgoing cue in Exchange Manager after passing through the awaiting directory lookup, pending submission and waiting to be routed while now being connected to the internet?

Would I be correct in assuming Exchange precached the emails so that when I isolated the 2 servers, exchange still continued to process emails from the Exchange Manager Queue view, so it looked like they were being freshly generated?

The satelite has about 1.5k to 400K download depending on Telstra ( that's another story). The outgoing modem is only 33.6K and gets bogged down. Would this allow the spam to backup in the exchange server.

Thank you for your feedback and help.
0
Comment
Question by:pjwallis
  • 2
4 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 250 total points
ID: 16948642
I hope I am understanding you correctly:

It seems you have discovered that the server was/is an open relay? If so, the first step is to close the open relay:

 http://www.amset.info/exchange/smtp-openrelay.asp

The next step is to clean up the queues:

 http://www.amset.info/exchange/spam-cleanup.asp

(both these links are thanks to the top Exchange expert, Sembee)
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 16956325
Looks like my work here is done... <smile>

Spammers drop and run. Therefore they will drop a large number of messages on to your server, then leave. ESM is notorious for not showing the true extent of the problem - so it can take many goes before the queue is "clear".

It may also be an authenticated user attack. Change your administrator password as that is the usual target.

Simon.
0
 
LVL 2

Author Comment

by:pjwallis
ID: 16960680
Thank you both for your fine answers and comments. I have learned a lot about Exchange.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16960714
Thank you, pjwallis (and Sembee :))
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now