Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Many unknown domains in my Exchange 2003 Outbound Queue

Posted on 2009-02-18
39
Medium Priority
?
905 Views
Last Modified: 2012-05-06
I'm running Exchange Server 2003 on W2K3 Server.  I open System Manager and navigate to Administrative Groups>First Administrator Group>Servers>MYSERVERNAME>Queues.  I have a bunch (50+) domains in the queue and I have no idea how/why they are there.  It looks like they are all using the SMTP Connector.  

Any idea what is going on here?  I hope my box isn't sending spam!
0
Comment
Question by:MFredin
  • 19
  • 15
  • 4
  • +1
39 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 23672117
Hi,
This is normal when users send directly through the exchange server when the exchange server does not have a dedicated smart host in the routing options.  Lets just say that you had a anti-spam firewall or a relay server that handled your outgoing request that the exchange server passed the outgoing emails onto.  Your exchange server would then send the information via the routing entries to the defined smart host, and that would be the entry that showed up every time someone within your organization sent an email.  

You can see this by sending an email to a gmail or hotmail account or some other external domain while watching /refreshing the queue.  The domains that have emails sent to them will pop up in the queue and stay there for a determined amount of time as to facilitate more emails (like an open connector to that domain).  I am sure that there is a registry fix for this somewhere as for how long these queue entries stick around, perhaps someone else can elaborate on this.  

You can learn more about smarthost and the ways to use them here:

http://www.dnsexit.com/support/mailrelay/exchange/setup.htm
http://www.petri.co.il/configure_iis_to_be_a_smart_host_for_exchange.htm


Here is an excellent resource on how to clean up your queues and perform some preventative maintenance.
http://www.amset.info/exchange/spam-cleanup.asp

HTH
0
 

Author Comment

by:MFredin
ID: 23672274
Well I guess I am a little worried since many of the domain names in the queue are domains that no one in the office would be sending to... heres an idea what I mean.

beefhive9.feeserve.co.uk
erotictreasures.com
exoticwoodfloor.com
hideakifan.com
ifg.com
hotelgalleriapark.com
tnvolleyball.com
etc
etc

These are not domains my users are sending email to.  So how did they end up in this queue?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23672289
Again, check this link out and check how to mitigate spam.  You may have your server setup for open relay:

http://www.amset.info/exchange/spam-cleanup.asp
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:MFredin
ID: 23672682
Thanks for the link.  It looks like I'm under an NDR attach.  I'm going through the instructions on how to "close the hole" and they are referring to a Connectors folder in System Manager.  For some reason, I don't have that folder.  Any idea how I can find it?

Here are the instructions I am referencing.
SMTP Connections

Start ESM, then open Connectors.
Right click on each SMTP Connector in turn and choose Properties.
Click on the "Address Space" tab.
If you have a "*" in the address list, check that "Allow messages to be routed to these domains" is not enabled.
Apply/OK until all windows are closed.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23672792
Yes, goto ESM, expand domain, expand routing groups, expand domain, expand connectors, right click on each connector.  You should have a default connector named 'mail'  and you may have others.  This depends on how you have it setup and how you are doing your routing.  From the sounds of things you will probably just have one.

This is where those instructions apply.

HTH
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23672805
when you goto address space, it will actually say Allow messages to be RELAYED to these domains.  You don't want this checked.
0
 

Author Comment

by:MFredin
ID: 23672851
Hmm. Allow Messages was actually unchecked and all my settings are in line with the instructions so I suspect it could be an Authenticated User Relaying.  I turned on logging and will be monitoring eventvwr.
0
 

Author Comment

by:MFredin
ID: 23672989
Here is an event that has already showed up in Eventviewer...

This is an SMTP protocol error log for virtual server ID 1, connection #24. The remote host "205.158.62.181", responded to the SMTP command "rcpt" with "550 <teet@singapore.net>: No thank you rejected: User unknown  ". The full command sent was "RCPT TO:<teet@singapore.net>  ".  This will probably cause the connection to fail.

0
 
LVL 20

Expert Comment

by:MightySW
ID: 23673087
Hi,
goto domain, server, protocols, smtp, rightclick on default smtp virtual... select properties, click access tab and click relay.

How do you have it set?

Should be set to only the list below, (either empty, or a listed machine in there may be relaying for you) and allow all computers which successfull auth... unchecked.  Click on users and ONLY authenticated users with allow submit and allow relay are checked.  If there are other list them here.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23673281
The usual account used for an authenticated user attack is administrator. Therefore I would suggest you change the administrator password, restart the SMTP Server Service and then turn off authenticated relaying completely.

-M
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23673365
Yes, however this is a production server and it is working so allowing authenticated users not to relay would break your outbound mail.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23673379
Oh, I see what you are saying Mestha, yes just uncheck relaying and leave send checked.
0
 

Author Comment

by:MFredin
ID: 23673603
Not sure what you mean by "uncheck relaying and leave send checked".  So I should UNcheck "Allow all computers which successfully authenticate to relay, regardless of the list above."?  Where do I "leave send checked"?  
0
 

Author Comment

by:MFredin
ID: 23673631
Ok, I think I understand.  So I unchecked "Allow all computers which successfully authenticate to relay, regardless of the list above." and then clicked "Users" and Authenticated Users are only allowed the Submit Permission.  This is correct right?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23673900
You had Allow all computers which successfully authenticate to relay checked?

Yes, you are correct, you need to uncheck that, and click users and uncheck authenticated users relay  (leave submit checked).

That will cut out rouge or hijacked accounts within your network using your exchange server for relaying.  But if they are just sending out then you could still see the issue.

Check the event logs after you verify these settings and clear the queues.
0
 

Author Comment

by:MFredin
ID: 23674030
I cleared the queues and started SMTP.  Everything was clear for about 10 minutes but now I see more random domains in the Queue again.  I checked event viewer and getting some errors like "504 Need to authenticate first" which seems like a good sign, then the next error is "550.5.7.1 Unable to relay for SOMECRAZYDOMAINNAME".

Another thing, I am using this box to send messages for one of my hosted sites.  It doesn't seem to be letting me send from the site anymore.  I get the  "550.5.7.1 Unable to relay for MYDOMAIN" error.  Is there anyway to allow this?  Maybe that username and password is compromised?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674107
Is your hosted site on an IP on your network?

If so then add it to the list that is allowed to relay through the server through ESM, domain, server, protocols, smtp, rightclick on default smtp virtual... select properties, click access tab and click relay.

Make sure you add in the IP and select ONLY the list below....
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674125
Again, did you also reset the administrator password before you stopped and restarted the Default SMTP Virtual Server?

0
 

Author Comment

by:MFredin
ID: 23674130
Unfortunately, its not in my network.  It does have a static IP tho.  Could I still add it?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674180
Yes you can, but I suspect this is where your issue is.

You should try another SMTP server that is accessible over the internet.  I wouldn't allow any external sources to relay on your internal exchange server.  This is just bad practice.

You should try to get an smtp relay from your isp / bandwidth provider?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674236
The fact that you are getting bounces now shows that the relay has been disabled, but it could have been from an internal user account.

Follow the troubleshooting guidelines in that link.  You will have to re-enable relaying for authenticated users, either that or look for that event (for previous events when it was enabled) by looking for the type of event listed in the link:

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 30/08/2004
Time: 15:45:08
User: N/A
Computer: EXCH-SRV1
Description: SMTP Authentication was performed successfully with client test-pc1. The authentication method was LOGIN and the username was testdomain\testusername.
0
 

Author Comment

by:MFredin
ID: 23674476
So here is what I've done.  Changed the administrator password, shutdown relay, restarted SMTP, moved my website SMTP relay from my internal exchange server to my hosting company email system.  I also changed the password on the account I was using for relay.    I check the event viewer and I'm getting a bunch of "504 need to authenticate first" messages which is good I think.  But, I am STILL getting a bunch of weird domains in my queue.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674498
Check for previous Event ID: 1708's  and look for the user that is doing it...
0
 

Author Comment

by:MFredin
ID: 23674533
I actually don't have any 1708's, they more mostly 7010 and 7004.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674573
We need to find the source of the authentication required.

enable the relay permission for authenticated users, stop and start smtp, and then watch the event viewer for 1708's
0
 

Author Comment

by:MFredin
ID: 23674697
Did that and still just loads of 1710's and no 1708's.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674848
What is the info in a 1710?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674866
Are you getting this verbatim:

An SMTP client authenticated as user "NT AUTHORITY\ANONYMOUS LOGON"
0
 

Author Comment

by:MFredin
ID: 23674920
Sorry, I meant 7010, not 1710.

Here is a 7010 and 7004

[7010]
This is an SMTP protocol log for virtual server ID 1, connection #169. The client at "204.16.179.242" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 1036 2".  This will probably cause the connection to fail.

[7004]
This is an SMTP protocol error log for virtual server ID 1, connection #160. The remote host "82.223.191.131", responded to the SMTP command "rcpt" with "550 <ienoolta1979@STFMA.COM>: Recipient address rejected: User unknown in virtual alias table  ". The full command sent was "RCPT TO:<ienoolta1979@STFMA.COM>  ".  This will probably cause the connection to fail.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23674952
Looks like you are blocking, but they are sending 5.7.1's

Have a look through this:

http://support.microsoft.com/kb/895853

0
 

Author Comment

by:MFredin
ID: 23675266
Yeah, it doesn't make sense because the 7010 messages are blocking but I still get new random domains in my queue.  I have checked and double checked the settings in the tutorials sent.  I don't get it.  Relay is turned off.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23675455
Lets clear a few things up.
If you do not have ANY SMTP clients - ie Outlook Express, sending through your server then you do not need any relay options set, nothing listed as an authenticated user and the authenticated relaying options can be complete disabled.

Next - Exchange is notorious for not showing the true extent of the queues. If the server has been blasted with email (which is what happens when a spammer gets hold of a server) then it can take three or four passes to clean the queues completely.

Next - The errors in the event logs are what I would expect to see. Spammers lists are not very clean, so there will be a lot of duff email addresses in the list. Your server is just reporting the ones that cannot be delivered.

A server that has been abused cannot be cleaned up in ten minutes. When I am doing one it normally takes me the best part of a day to get it clean.

-M
0
 
LVL 20

Accepted Solution

by:
MightySW earned 1200 total points
ID: 23675786
There you go.

Sounds like you are on the right track.  Just complete the cleanup process under that link under the: Cleaning Up the Exchange Server's SMTP Queues  category. This will keep your queues clean.

Also, you should look into a Postini or a spam firewall solution/smarthost to filter your email.  They are great and they really help out when your exchange server is down as they usually offer web based emergency solutions.

Be sure to disable the relay permissions for the users  (we only did this for testing purposes M).

Good luck.
0
 

Author Comment

by:MFredin
ID: 23685728
Thanks guys.  So I've used the command line tool to clean up my queue about  5 or 6 times now.  It clears them out, then a minute later more and more unknown domains start piling in.  I'm convinced there is still a hole somewhere.  When I logged in this morning my account was locked out.  Any suggestions?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 800 total points
ID: 23687803
Have you closed port 25 on the firewall for inbound email before trying to clean up the server? If not then I would suggest that you do. If the port is closed and the email continues to appear in the queues then that is Exchange dumping the queue out. It can take quite a few times to clear the queues out because Exchange cannot cope with displaying the 100,000 or messages that have probably been dumped on it.

-M
0
 

Author Comment

by:MFredin
ID: 23691811
I closed port 25 and cleared the queue.  Waited 5 minutes and the queue stayed clear.  I open port 25 and the queue starts getting dirty again.  So frustrating.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23693578
While the port was closed, did you verify that you have closed all three possible ways of email getting through?

Disabled authenticated relaying completely?
Turned off all relaying options - you do not need anything listed for Exchange to work
Checked the SMTP connector?

Do you have recipient filtering and the tarpit enabled?

There are very few ways that Exchange can allow email to be relayed.

Remember after making any changes you need to restart the SMTP Server service.

-M
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23696725
Did you run Kapersky and malwarebytes on your computer?  

http://www.kaspersky.com/virusscanner

http://www.malwarebytes.org/

It seems that your account may be partially responsible for attempted relays which would indicate that you have a rootkit.  Goto sysinternals and download the rootkit detector on your machine.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

HTH
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24383426
Are these messages NDR's?

someone might be spoofing your address list for spamming purposes
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes Top 9 Exchange troubleshooting utilities that every Exchange Administrator should know. Most of the utilities are available free of cost. List of tools that I am going to explain in this article are:   Microsoft Remote Con…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question