Open email Relay, Email storm even when NO internet, wrong diagnosis?

Hi,
Quick overview.

350 to 900 new rubbish emails are being generated on my exchange 2003 server which is patched up to date.
I used 3 different open relay tests that all returned a negative on the relay test.  
4 different antivirus companies couldn't find any email sending virus on the system.
After disconnecting the internet - just one donaim controller connected to the exchange box through a switch - still observing 350 to 900 new emails per minute.
We have a satelite connection to the web with a 33.6K modem as a return path.

I now discover an open relay function is happening 12 days after first discovering the email storm. Possibly because the Exchange server didn't return the test email in the alloted time for the open relay test. I manually telneted into the front end of the exchange server and manually setup an email with the SMTP commands.

If this is all the whole issue is about - how come I continued to observe 350 to 900 emails per minute being added to the outgoing cue in Exchange Manager after passing through the awaiting directory lookup, pending submission and waiting to be routed while now being connected to the internet?

Would I be correct in assuming Exchange precached the emails so that when I isolated the 2 servers, exchange still continued to process emails from the Exchange Manager Queue view, so it looked like they were being freshly generated?

The satelite has about 1.5k to 400K download depending on Telstra ( that's another story). The outgoing modem is only 33.6K and gets bogged down. Would this allow the spam to backup in the exchange server.

Thank you for your feedback and help.
LVL 2
pjwallisAsked:
Who is Participating?
 
SembeeConnect With a Mentor Commented:
Looks like my work here is done... <smile>

Spammers drop and run. Therefore they will drop a large number of messages on to your server, then leave. ESM is notorious for not showing the true extent of the problem - so it can take many goes before the queue is "clear".

It may also be an authenticated user attack. Change your administrator password as that is the usual target.

Simon.
0
 
r-kConnect With a Mentor Commented:
I hope I am understanding you correctly:

It seems you have discovered that the server was/is an open relay? If so, the first step is to close the open relay:

 http://www.amset.info/exchange/smtp-openrelay.asp

The next step is to clean up the queues:

 http://www.amset.info/exchange/spam-cleanup.asp

(both these links are thanks to the top Exchange expert, Sembee)
0
 
pjwallisAuthor Commented:
Thank you both for your fine answers and comments. I have learned a lot about Exchange.
0
 
r-kCommented:
Thank you, pjwallis (and Sembee :))
0
All Courses

From novice to tech pro — start learning today.