thrill_house
asked on
SMTP Sessions
The network administrator in my company has been out for a few weeks, and will continue to be out for another week, and don't you know our email server started having problems. Many of the emails we send out from within our applications are erroring out or just not sending. When doing research on this, I saw something that had my head scratching. My fear is that my companies exchange server is being used by spammers, can anyone tell me if I have anything to fear?
In System Manager, when I go under SMTP, and view Current Sessions, there are many listed, none of them from my company. There are also connections that are going on for over 500 seconds. Is this a cause for concern?
I enabled diagnostic logging on the MSExhangeTransport service, with a maximum logging level on the SMTP protocol. I did this yesterday at 2:45pm, and I have probably received 1000 errors since. Is this normal? Most of the errors are Event 7010 "Sender already specified". Most of the IP addresses are from foreign countries such as Italy, Israel, and Russia.
Let me know your thoughts! Thanks.
In System Manager, when I go under SMTP, and view Current Sessions, there are many listed, none of them from my company. There are also connections that are going on for over 500 seconds. Is this a cause for concern?
I enabled diagnostic logging on the MSExhangeTransport service, with a maximum logging level on the SMTP protocol. I did this yesterday at 2:45pm, and I have probably received 1000 errors since. Is this normal? Most of the errors are Event 7010 "Sender already specified". Most of the IP addresses are from foreign countries such as Italy, Israel, and Russia.
Let me know your thoughts! Thanks.
ASKER
Server Info:
OS: Windows 2000
Exchange: Exchange 2003 (version June 2003)
RAM: 512MB
Procesor: 550MHz Pentium 2
I'm not getting that many NDR messages, but here is one:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;judy@emailaddress.c om (Message-ID <2f4b01c71e05$f35719f0$053 2000a@SERV ER.org>).
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq.
Here are some other errors I get:
SOME OF THESE:
This is an SMTP protocol log for virtual server ID 1, connection #605. The client at "206.69.81.24" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2556 4". This will probably cause the connection to fail.
MOSTLY THESE:
This is an SMTP protocol log for virtual server ID 1, connection #604. The client at "75.75.44.84" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM:<poo@validate.com>". This will probably cause the connection to fail.
OS: Windows 2000
Exchange: Exchange 2003 (version June 2003)
RAM: 512MB
Procesor: 550MHz Pentium 2
I'm not getting that many NDR messages, but here is one:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;judy@emailaddress.c
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq.
Here are some other errors I get:
SOME OF THESE:
This is an SMTP protocol log for virtual server ID 1, connection #605. The client at "206.69.81.24" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2556 4". This will probably cause the connection to fail.
MOSTLY THESE:
This is an SMTP protocol log for virtual server ID 1, connection #604. The client at "75.75.44.84" sent a "mail" command, and the SMTP server responded with "503 5.5.2 Sender already specified ". The full command sent was "mail FROM:<poo@validate.com>". This will probably cause the connection to fail.
ASKER
Here is some more info:
I just checked under Current Connections (for SMTP) and I found a connection from one our domain names, but the IP address was from New York (we are not in New York). I also saw the name localhost and that IP address was from Brazil.
I just checked under Current Connections (for SMTP) and I found a connection from one our domain names, but the IP address was from New York (we are not in New York). I also saw the name localhost and that IP address was from Brazil.
What do your queues look like?
If you look in the queues, do you have lots of messages from postmaster@
It looks like you are under some kind of attack, but which one (there are three or four it could be) isn't clear at the moment.
Simon.
If you look in the queues, do you have lots of messages from postmaster@
It looks like you are under some kind of attack, but which one (there are three or four it could be) isn't clear at the moment.
Simon.
ASKER
The queues show 59 items, all of the names in the queues look legit, and all of the items in the queue originated yesterday.
I did go home during lunch to try and telnet into the server, but I was unable to, so I don't think we have an open relay...
I did go home during lunch to try and telnet into the server, but I was unable to, so I don't think we have an open relay...
If everything in the queues looks legit, then I would suspect that someone is having a pop at the server but the server is resisting. The logging is probably turned up a tad too high and is showing you everything that is going on.
As you don't know the server, you will be unable to answer the question on whether the number of messages in the queue is normal or not. I don't like to see any messages in the queues, but with high traffic sites it is sometimes inevitable that a few will hang around.
Simon.
As you don't know the server, you will be unable to answer the question on whether the number of messages in the queue is normal or not. I don't like to see any messages in the queues, but with high traffic sites it is sometimes inevitable that a few will hang around.
Simon.
ASKER
I thought I might have the logging set up too high as well, so I changed it this morning to minimum logging, and it still logs all of those errors I posted. So I don't know how concerned I should be.
Is it normal to have a bunch of sessions on the "Default SMTP Virtual Server"? We have upwards of 20 at one time, with long connection times. How is someone connected? Should it just be internal addresses in there?
Is it normal to have a bunch of sessions on the "Default SMTP Virtual Server"? We have upwards of 20 at one time, with long connection times. How is someone connected? Should it just be internal addresses in there?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would also help if you provided some version information.
Simon.