ScottDriver
asked on
Exchange 2003 - Message Tracking Logs problems
Today I've had 14GB of message tracking logs created. I know I can delete these without issue, but I'm concerned what's caused this situation. At times there was a new 5MB log created every minute.
Is there a way to view what these logs contain?
Any ideas what might be causing this?
We're a pretty small shop, and I can't possibly imagine that we have a volume of mail great enough to cause this issue.
THANKS!
Is there a way to view what these logs contain?
Any ideas what might be causing this?
We're a pretty small shop, and I can't possibly imagine that we have a volume of mail great enough to cause this issue.
THANKS!
ASKER
correction, they aren't message tracking logs, they are transaction logs. 'Enable Circular Logging' is not checked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This issue occurs with Entourage clients, do you have any ?
Links below will help you
http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ts_fasttranslog.mspx
http://msexchangetips.blogspot.com/2006/08/exchange-transaction-log-files-growing.html
Links below will help you
http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ts_fasttranslog.mspx
http://msexchangetips.blogspot.com/2006/08/exchange-transaction-log-files-growing.html
Are you making full backup for the store?
ASKER
Thanks all for the prompt replies.
Matthew:
1- Backups were completed yesterday morning (12/2), and the transaction logs start going at an average of one a minute since then.
2- Holding off... for now. :)
3- I think the problem is with one e-mail account that is sending messages that have a subject of "Invalid message type", which then causes the postmaster to respond with a "Delivery Status Notification (Failure)". The account in question is a conference room that's set to auto-accept meeting invites, so I guess it's just launched a vicious circle of auto-accept replys and bouncebacks. I think I can work through this....
HOWEVER, you've piqued my interest on a couple of topics I'm unfamiliar with. If you can provide any more info and/or point me towards basic resources on the following, I'd very much appreciate it. "Check to make sure your server is not an open relay", tar pitting (this is a new term for me), and recipiant filtering (I've used recipient filtering at a basic level, but I'm curiuos how you envisioned using it here). THANKS for the near immediate reply!
ikm: we don't have any entourage clients, but I appreciate the help.
ehabsalem: we created a full backup on 12/2, and the issue began showing up immediately afterwards.
Matthew:
1- Backups were completed yesterday morning (12/2), and the transaction logs start going at an average of one a minute since then.
2- Holding off... for now. :)
3- I think the problem is with one e-mail account that is sending messages that have a subject of "Invalid message type", which then causes the postmaster to respond with a "Delivery Status Notification (Failure)". The account in question is a conference room that's set to auto-accept meeting invites, so I guess it's just launched a vicious circle of auto-accept replys and bouncebacks. I think I can work through this....
HOWEVER, you've piqued my interest on a couple of topics I'm unfamiliar with. If you can provide any more info and/or point me towards basic resources on the following, I'd very much appreciate it. "Check to make sure your server is not an open relay", tar pitting (this is a new term for me), and recipiant filtering (I've used recipient filtering at a basic level, but I'm curiuos how you envisioned using it here). THANKS for the near immediate reply!
ikm: we don't have any entourage clients, but I appreciate the help.
ehabsalem: we created a full backup on 12/2, and the issue began showing up immediately afterwards.
Ok. To give a little more explanation to those things I spoke of.
Open relay means that your server will forward mail for an account that is not in your mail organization to an account that is not in your organization. This is bad as it is used by spammers to forward email and could cause an excessive amount of emails to be sent from your system. Easiest way to test is do it via telnet.
telnte mail.yourserver.com 25
helo domain.com
mail from:<address@notinyourdom
rcpt to:<someemail@alsonotinyou
If your server is not set as an open relay right after the rcpt to command you should receive the following:
550 5.7.1 Unable to relay for
If you get that error you should be ok.
Recpieant filterign and tar pitting go to together. If you were under an NDR attack what would happen is many emails come into your server for addresses that do not exist. The server must then try to send an NDR back to the sender. Most of the time the sender does not exist and the queues flood with NDR's that cannot be delivered. Two things can be done for this.
In recipiant filtering you can select filter recipiants that are not in the directory. Now all mail sent to a non-existant address will bounce at the smtp level and the sending mail server will be responsible for the ndr. This will help our server load quite a bit. PROBLEM. now that you are announcing which recipiants dont exist it is possible for a spammer to try many combinations of recipiants until they get one that does not say recipiant unknown. This is called directory harvesting. To combat this you would use tar pitting which simply increases the time the server takes to come back with error messages and user unknown messages etc. It would make a directory harvesting attack take a very very long time.
Hope this answers your questions. Good luck with the circle of bouncebacks.
Matt
Open relay means that your server will forward mail for an account that is not in your mail organization to an account that is not in your organization. This is bad as it is used by spammers to forward email and could cause an excessive amount of emails to be sent from your system. Easiest way to test is do it via telnet.
telnte mail.yourserver.com 25
helo domain.com
mail from:<address@notinyourdom
rcpt to:<someemail@alsonotinyou
If your server is not set as an open relay right after the rcpt to command you should receive the following:
550 5.7.1 Unable to relay for
If you get that error you should be ok.
Recpieant filterign and tar pitting go to together. If you were under an NDR attack what would happen is many emails come into your server for addresses that do not exist. The server must then try to send an NDR back to the sender. Most of the time the sender does not exist and the queues flood with NDR's that cannot be delivered. Two things can be done for this.
In recipiant filtering you can select filter recipiants that are not in the directory. Now all mail sent to a non-existant address will bounce at the smtp level and the sending mail server will be responsible for the ndr. This will help our server load quite a bit. PROBLEM. now that you are announcing which recipiants dont exist it is possible for a spammer to try many combinations of recipiants until they get one that does not say recipiant unknown. This is called directory harvesting. To combat this you would use tar pitting which simply increases the time the server takes to come back with error messages and user unknown messages etc. It would make a directory harvesting attack take a very very long time.
Hope this answers your questions. Good luck with the circle of bouncebacks.
Matt
I think, like Matt said you have an open relay. Check the queues. If you have lots of email in the queue than mostly you are attacked.
ASKER
I may have hastily closed this issue... Our logs are still expanding at a rediculous rate after fixing the issue with the circular bouncebacks.
I'm not sure what's going on, but am currently investigating...
I'm not sure what's going on, but am currently investigating...
ASKER
and i think we might be a relay. HELP!
when i telneted to mail, i get the following back after the rcpt comand:
250 2.1.5 another@diffdomain.com
HELP!!!
when i telneted to mail, i get the following back after the rcpt comand:
250 2.1.5 another@diffdomain.com
HELP!!!
Ok. Here is a Microsoft KB article on the subject.
http://support.microsoft.com/kb/324958
Goes through the steps you did for testing if it is an open relay, and toward the bottom steps on correcting it.
Let me know if you have some questions to this process or if it doesnt fix the problem.
http://support.microsoft.com/kb/324958
Goes through the steps you did for testing if it is an open relay, and toward the bottom steps on correcting it.
Let me know if you have some questions to this process or if it doesnt fix the problem.
ASKER
Matthew,
Thanks again. If I knew how to give you double points I would do it.
THANK YOU!
Thanks again. If I knew how to give you double points I would do it.
THANK YOU!
No problem!
These logs can fill up quite a bit when a lot of email is coming in or leaving. Check the Message Tracking center and see how many messages have been sent / received in the last 3 to 4 hours. Check to make sure your server is not an open relay. If most of these are messages sent to non-existant users at your comany you can use recipiant filtering and tar pitting.
First step is to determine how many messages and where there going / coming from.