My SMTP server is constantly getting taking offline. I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1. I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state. Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.
I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp
. I am not open for relay from oustide of my subnet. This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering. This is not an authenticated user sending out spam.
Here are a couple of the senders I can see in the yahoo.com.tw queue:
Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:
This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "22.214.171.124", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection. ". The full command sent was "MAIL FROM:<Seth_Allison258@yaho
o.com.tw> SIZE=1039 ". This may cause the connection to fail.
And MSExchangeTransport is also spitting out a bunch of errors like these:
This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "126.96.36.199" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put
". This will probably cause the connection to fail.
This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "188.8.131.52" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "ehlo |". This will probably cause the connection to fail.
I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.
I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well. It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory?? I do not know what is going on. Help!