Exchange Server 2003 connections

Posted on 2007-03-31
Medium Priority
Last Modified: 2010-04-18
Here's the environ:

Small LAN, one Server 2003 Enterprise running Exchange 2003 Enterprise.  It supports less than 5 users, 4 of whom connect directly to exchange and one remote user who gets mail via POP3.

The other day I got an e-mail from Time Warner telling me that Spamcop got a complaint about some spam that originated from my IP.  Of course I began the search.

I "think" what happened was that something I downloaded from a newsgroup was infected and started some trouble.  I have scanned my primary server and my backup member server and both are clean.  The data from the newsgroup is stored in an encrypted folder and is now closed so I'm thinking that "maybe" the virus can only run when the encrypted folder is open.  I only reced one e-mail from Time Warner and it only documented on problem e-mail.  Both servers look clean so far as I can tell, but I have several questions.

1.  Under my mail server in system manager, I have a queue.  What is that queue for and what is it's purpose?  Of course I understand that it handles outbound e-mail, but I am under the impression that no one can use it unless the user is authenticated.  I saw 35 queues in there and with only 5 users I didn't expect to see anything in the queue.  

2.  Under my SMTP virtual server, I see Current Sessions.  Why do I see connected sessions in there from places I don't expect to see connected sessions from?  Again, I am thinking that my Exchange server is set up so that only authenticated users can connect, yet I'm seeing some sessions I do not expect to see.

3.  Can I lock down my Exchange server so that ONLY authenticated users can connect and everyone else is blocked?  I thought I had it setup that way already but it seems not.

Anyway, I'm looking for some direction, pointers, etc on this issue.


Question by:crp0499
  • 2
LVL 32

Assisted Solution

r-k earned 800 total points
ID: 18831234
LVL 104

Expert Comment

ID: 18831724
You can't stop all connections to the server, only the relaying attempts. If you block anyone who doesn't authenticate then you will stop inbound email.

If you think you have an infection somewhere, then you need to find it. The quickest way to do that is to block port 25 on the firewall and stop the SMTP traffic on the Exchange server. If a machine on your network is sending messages out it will soon show in the firewall logs.


Author Comment

ID: 18840757
ok, fine.  I already knew i waasn't an open relay.  I've scanned both servers and no virus.  that leaves the pc in the office as the possible source of the infection but i havent checked it yet.

my question is WHAT are the messages in the queue?

I'm thinking that I have my server set to authenticated users only so the only thing I expect to see in the queue is mail my users have sent, all the same, I have the following in my queue:

erols.com - 10,000+ messages
charter.net - 11,000+
bellsouth.net - 26,000+

what are all these messages in my queue?
LVL 104

Accepted Solution

Sembee earned 1200 total points
ID: 18844165
If you have those sorts of numbers of messages then you are looking at one of three problems

- open relay
- authenticated relaying.

Have you changed your administrator password recently? If not, then you should.

For cleaning up the queues, take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question