asked on
Exchange 2003: SMTP Queue flooded
Hello all;
I know the more info the btter, so excuse me if this is long.
I did a search and read over 30 threads about what appear to be this same issue. None of that seems to help in my case.
Over the weekend, my Exchange 2003 sp3 server got flooded with mail. Been working on it ever since. The smtp queue currently has almost 6000 queues. Many to a .tw domain. This drops at night and rises back up during the day. We are able to send mail out and recieve mail but it is slow.
So far I have:
-Scanned every PC on the network for spyware
-Created a recipient filter
-Verified I am not an open relay. Cleared "allow all computers to auth" check box.
-Enabled a tar pit
-Tried to flush my queue via MS directions of creating an smtp connector. I gave up on this when the connecter went continued to grow to 30,000 messages. I assumed at that point that the problem was not fixed and stopped it.
-Enabled max logging to look for a 1708 auth message. Never got one.
-Scanned server with malware bytes
-Scanned server with TrendMirco AV
-Ran Windows Update and instaled everything. .Net 3.5 update failed, try that again tonight
-Turned off NDR's (temporarily)
I am SURE I am forgetting something. Especially after spending 24 hours here through Sunday night. I have been all over Simon's site and this and MS.
Any help appreciated.
I know the more info the btter, so excuse me if this is long.
I did a search and read over 30 threads about what appear to be this same issue. None of that seems to help in my case.
Over the weekend, my Exchange 2003 sp3 server got flooded with mail. Been working on it ever since. The smtp queue currently has almost 6000 queues. Many to a .tw domain. This drops at night and rises back up during the day. We are able to send mail out and recieve mail but it is slow.
So far I have:
-Scanned every PC on the network for spyware
-Created a recipient filter
-Verified I am not an open relay. Cleared "allow all computers to auth" check box.
-Enabled a tar pit
-Tried to flush my queue via MS directions of creating an smtp connector. I gave up on this when the connecter went continued to grow to 30,000 messages. I assumed at that point that the problem was not fixed and stopped it.
-Enabled max logging to look for a 1708 auth message. Never got one.
-Scanned server with malware bytes
-Scanned server with TrendMirco AV
-Ran Windows Update and instaled everything. .Net 3.5 update failed, try that again tonight
-Turned off NDR's (temporarily)
I am SURE I am forgetting something. Especially after spending 24 hours here through Sunday night. I have been all over Simon's site and this and MS.
Any help appreciated.
Email ProtocolsInternet ProtocolsExchange
Last Comment
73r3grine
Check this article man.it has a very good checklist.
See if there are any loopholes in ur network
http://support.microsoft.com/kb/895853
See if there are any loopholes in ur network
http://support.microsoft.com/kb/895853
ASKER
ALOT of the emails are "postmaster@mydomain.com" but there are also many with very odd characters.
&$*#*%#&^^# (joblow@wierdname.com.tw).
I already have that article printed out and sitting on my desk. Already done 1-4. We are not blacklisted very much if at all. Found no 1708's in my logs (which would indicate a compromised account). The NDR's we are getting are 5.4.0 not 5,7.1 so I turned off "Allow all computers which succesfully auth to relay". 5.4.0's may be left over from when I created a temp smtp connector.
I am actually starting to wonder if I have, indeed, fixed the issue. The queue seems to stabilize at around 6000. If I was still "under attack" would it continue to fill until the server crashed?
Is it possible the problem IS fixed, and I just need to clear the queues (which will probably take HOURS). I did try the AQAMDCLI.EXE tool but it errored after deleting only a couple 100 emails.
&$*#*%#&^^# (joblow@wierdname.com.tw).
I already have that article printed out and sitting on my desk. Already done 1-4. We are not blacklisted very much if at all. Found no 1708's in my logs (which would indicate a compromised account). The NDR's we are getting are 5.4.0 not 5,7.1 so I turned off "Allow all computers which succesfully auth to relay". 5.4.0's may be left over from when I created a temp smtp connector.
I am actually starting to wonder if I have, indeed, fixed the issue. The queue seems to stabilize at around 6000. If I was still "under attack" would it continue to fill until the server crashed?
Is it possible the problem IS fixed, and I just need to clear the queues (which will probably take HOURS). I did try the AQAMDCLI.EXE tool but it errored after deleting only a couple 100 emails.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Yes enable IMF,sender,connection and recipient filtering.
Aqadmcli can be a bit difficult tool to work with at times.
try running it again and again
Aqadmcli can be a bit difficult tool to work with at times.
try running it again and again
ASKER
I don't think it is fixed. Deleted a few queues. Went from 6227-6226-6225 > refresh > 6334
Trying that now Xsam. Some of it I have done. Then I will try IMF if that doesnt seem to help.
Trying that now Xsam. Some of it I have done. Then I will try IMF if that doesnt seem to help.
Yes,try those and also update the IMF .
YES .. just do what i said and your issue is fixed.
-x-sam
-x-sam
Also check if ur able to do a telnet from a client workstations to external ip.
Try this:
telnet maila.microsoft.com 25
U shouldnot get a response.connection shud fail.
Try this:
telnet maila.microsoft.com 25
U shouldnot get a response.connection shud fail.
ASKER
Is renaming \Mailroot going to purge the queue? Everything is delayed by about 2 hours so if this will delete the queue I want to make sure I wait long enough so that any legit email is delivered.
It will fail only if the IP is blacklisted ! we are not concerned about that at this point of time !
first clear out the spams and get the mail flow working ;-)
-x
first clear out the spams and get the mail flow working ;-)
-x
ASKER
telnet to mailia.microsoft.com 25 replied with a 220 mail01.microsoft.com /service ready
did u complete doing my action plan ?/ whats the status?
ASKER
Thanks Sam. Coming back in a few hours to try and will let you know.
Much appreciated.
Much appreciated.
No problem Buddy
All the SMTP Connector did was allow the messages that are in the queues to gather in one place. If you haven't cut the server off from the internet then you need to do that.
postmaster@ is NDR spam and is stopped by the recipient filter. However if the messages are already on the server then you need to clean the queues.
Close port 25 on the firewall so that the server cannot be seen from the internet, then work on clearing the queues. Once you have done that you can restart the SMTP Server service and look at securing the server.
-M
postmaster@ is NDR spam and is stopped by the recipient filter. However if the messages are already on the server then you need to clean the queues.
Close port 25 on the firewall so that the server cannot be seen from the internet, then work on clearing the queues. Once you have done that you can restart the SMTP Server service and look at securing the server.
-M
Yeah.we can search for legit emails later using WIndows explorer.
ASKER
Thanks so much! This worked perfectly and I looked like a hero!
Are the emails stuck in the queue Postmaster emails or emails to domains which do not exist ?
You need to enable the spam filterings on the exchange server to get this resolved...