[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Conficker Worm Update slows exhchange 03 server

Posted on 2009-04-17
12
Medium Priority
?
545 Views
Last Modified: 2012-05-06
Ever since I installed the  Conficker Worm security update on my Exchange 2003 server we have been having issues with delayed incoming mail. Is there any way to un-install that update or fix the issue otherwise?

The file I installed was "WindowsServer2003-KB921883-v2-x86-ENU.exe"
0
Comment
Question by:chawness
  • 5
  • 5
  • 2
12 Comments
 
LVL 5

Expert Comment

by:mrmarkfury
ID: 24169370
I'm not sure about why it would cause the slowdown, but to remove a hotfix, go to Add/Remove Programs, make sure the box "Show Updates" up top is checked, navigate to the hotfix, and click remove.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24169392
I am not aware of any updates causing performance issues with Exchange, and have all of the updates on many Exchange 2003 servers. The update you have linked to is actually quote old - 2006 and is about the Server service, so could be something third party was upset by it. I presume the server is fully patched otherwise - Windows 2003 SP2.

As for the issues you are seeing, how do you know the messages are delayed? Are you seeing a delay arriving in to the server or elsewhere? There are many reasons why messages can be delayed, outside of installing an update.

Simon.
0
 
LVL 5

Expert Comment

by:mrmarkfury
ID: 24169428
BTW, its hotfix 958644 if you need the number. Is there any way you can create a lab environment to troubleshoot the delayed mail issue? You definitely don't want your mail servers unprotected.

How have you narrowed it down to this hotfix being the cause of slow incoming mail? I realize the coincidental timing, but you may find after uninstalling the hotfix that the issue persists.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 1

Author Comment

by:chawness
ID: 24169791
I went to add remove programs and clicked the show updates box. I seen it there but it says it was installed 2-23-07. Maybe it was already there and I didnt know it.

I know the email is delayed because our main clients emails are arriving 30 minutes after being sent and sometimes not getting through (their server gives up). Other people sending mail to us have reported the same issue.

This all started after I applied the patch.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24169971
The installation date is showing as 2007 then it was already on your system, so it must have been another update that you installed. There were seven or eight updates out on Tuesday, did you install those as well?

As I said above, I am not aware of any performance impact on servers from any of the recent updates, so I have to conclude it is a coincidence and was most likely caused by something else changing that took effect after you rebooted the server.

Simon.
0
 
LVL 1

Author Comment

by:chawness
ID: 24214611
No I haven't installed any other updates to the server. Here is a bounce message one of our clients are receiving:


From:
To:
Sent:
Subject:
Delivery has failed to these recipients or distribution lists:
'myuser@greenwayeng.com'
Microsoft Exchange has been trying to deliver this message without success and has stopped trying. Please try sending this message again, or provide the
following diagnostic text to your system administrator.
_____
Sent by Microsoft Exchange Server 2007
Diagnostic information for administrators:
Generating server: chaexhprd005.chkenergy.net
myuser@greenwayeng.com
#550 4.4.7 QUEUE.Expired; message expired ##
Original message headers:
Received: from CHAEXHPRD007.chkenergy.net ([10.9.96.224]) by
chaexhprd005.chkenergy.net ([10.9.96.201]) with mapi; Thu, 9 Apr 2009
20:16:19 -0400
From: user <theiruser@chk.com>
To: "'myuser@greenwayeng.com'" <myuser@greenwayeng.com>
Date: Thu, 9 Apr 2009 20:16:18 -0400
Subject: Fw: Delivery Delayed: FW: Initial Review for MO 45 Mehoopany
Prospect - Susquehanna County, PA
Microsoft Exchange
'myuser@greenwayeng.com'
Saturday, April 11, 2009 8:22 PM
Undeliverable: Fw: Delivery Delayed: FW: Initial Review for MO 45 Mehoopany Prospect - Susquehanna County, PA
1
Thread-Topic: Delivery Delayed: FW: Initial Review for MO 45 Mehoopany
Prospect - Susquehanna County, PA
Thread-Index: AcmiYPUR/92WDNRfRS60UynY6dGtQQW7U4PwAAirDvQAACiiKA==
Message-ID: <10684B652F8F9B49BC2C6AE6BB9F45BC01863FBF65@CHAEXHPRD007.chkenergy.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: Vt/htad8wlyWgJROWWc7oQ==
x-ems-stamp: zghtJO7BEuqEUak3C43VpA==
Content-Type: multipart/alternative;
boundary="_000_10684B652F8F9B49BC2C6AE6BB9F45BC01863FBF65CHAEXHPRD007c_"
MIME-Version: 1.0
0
 
LVL 1

Author Comment

by:chawness
ID: 24215961
More information from my logs. I did not receive this email.

2009-04-23 15:03:56 198.181.133.240 chaexhprd005.chkenergy.net SMTPSVC1 GW8 10.10.10.10 0 EHLO - +chaexhprd005.chkenergy.net 250 0 315 31 0 SMTP - - - -
2009-04-23 15:03:56 198.181.133.240 chaexhprd005.chkenergy.net SMTPSVC1 GW8 10.10.10.10 0 MAIL - +FROM:<mitra.pratt@chk.com> 250 0 44 41 0 SMTP - - - -
2009-04-23 15:03:56 198.181.133.240 chaexhprd005.chkenergy.net SMTPSVC1 GW8 10.10.10.10 0 RCPT - +TO:<smiller@greenwayeng.com> 250 0 36 33 0 SMTP - - - -
2009-04-23 15:03:56 198.181.133.240 chaexhprd005.chkenergy.net SMTPSVC1 GW8 10.10.10.10 0 QUIT - chaexhprd005.chkenergy.net 240 407 36 33 188 SMTP - - - -
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24216678
The NDR is a time out. Doesn't really help say much more.
The log isn't that helpful either, as all it shows is the start of the communication and then a quit.

If it is happening with external messages then it looks to me like interference. Something scanning SMTP traffic that shouldn't be. Firewall, AV, something like that.

Simon.
0
 
LVL 1

Author Comment

by:chawness
ID: 24217184
Here is something I think could be an issue. From my firewall logs:

04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "TURN"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "PIPELINING"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "DSN"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "ENHANCEDSTATUSCODES"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "VRFY"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "X-EXPS"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "X-EXPS=LOGIN"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "X-LINK2STATE"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "XEXCH50"
04/23/09 12:56  smtp-proxy[18395]:  [189.41.162.147:10176 10.10.10.10:25] removing ESMTP keyword "OK"
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24220786
Yes, that would cause a few problems.
Preferably, turn off the SMTP scanning feature in the firewall. It is getting in the way.

Simon.
0
 
LVL 1

Author Comment

by:chawness
ID: 24223896
Thats the horrible thing about my Watchguard Firebox, I cant turn this off. If I do I will lose all of my spam filtering and attachment stripping.

There is even a place to add all the ESMTP keywords I want to allow but it still keeps removing them.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24224362
Well I can only suggest that you speak to Watchguard support for advice. The firewall I am pretty sure is the cause of the problems.

Simon.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month19 days, 13 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question