Solved

Open email Relay, Email storm even when NO internet, wrong diagnosis?

Posted on 2006-06-20
4
238 Views
Last Modified: 2010-03-06
Hi,
Quick overview.

350 to 900 new rubbish emails are being generated on my exchange 2003 server which is patched up to date.
I used 3 different open relay tests that all returned a negative on the relay test.  
4 different antivirus companies couldn't find any email sending virus on the system.
After disconnecting the internet - just one donaim controller connected to the exchange box through a switch - still observing 350 to 900 new emails per minute.
We have a satelite connection to the web with a 33.6K modem as a return path.

I now discover an open relay function is happening 12 days after first discovering the email storm. Possibly because the Exchange server didn't return the test email in the alloted time for the open relay test. I manually telneted into the front end of the exchange server and manually setup an email with the SMTP commands.

If this is all the whole issue is about - how come I continued to observe 350 to 900 emails per minute being added to the outgoing cue in Exchange Manager after passing through the awaiting directory lookup, pending submission and waiting to be routed while now being connected to the internet?

Would I be correct in assuming Exchange precached the emails so that when I isolated the 2 servers, exchange still continued to process emails from the Exchange Manager Queue view, so it looked like they were being freshly generated?

The satelite has about 1.5k to 400K download depending on Telstra ( that's another story). The outgoing modem is only 33.6K and gets bogged down. Would this allow the spam to backup in the exchange server.

Thank you for your feedback and help.
0
Comment
Question by:pjwallis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 250 total points
ID: 16948642
I hope I am understanding you correctly:

It seems you have discovered that the server was/is an open relay? If so, the first step is to close the open relay:

 http://www.amset.info/exchange/smtp-openrelay.asp

The next step is to clean up the queues:

 http://www.amset.info/exchange/spam-cleanup.asp

(both these links are thanks to the top Exchange expert, Sembee)
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 16956325
Looks like my work here is done... <smile>

Spammers drop and run. Therefore they will drop a large number of messages on to your server, then leave. ESM is notorious for not showing the true extent of the problem - so it can take many goes before the queue is "clear".

It may also be an authenticated user attack. Change your administrator password as that is the usual target.

Simon.
0
 
LVL 2

Author Comment

by:pjwallis
ID: 16960680
Thank you both for your fine answers and comments. I have learned a lot about Exchange.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16960714
Thank you, pjwallis (and Sembee :))
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question