[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange queue keeps growing - SPAM issue

Posted on 2009-04-22
3
Medium Priority
?
823 Views
Last Modified: 2012-06-21
Hi Experts,

need your help. Yesterday we are being hit by spam; it seems coming from internal because the firewall showing me it's coming from internal IP address to external IP add.

Now the problem is the ESM showing huge numbers of connectors with 1 - 100 messages per connector. Up until now we have 55K messages in connector. I have meade a temp connector with a fake IP address so that I can redirect all the messages in 1 connector and delete them from there. But again the messages keeps growing like crazy.

I've scanned the machine with Our AV and find nothing.

Also I've keep deleting those messages with aqadmcli to delete all messages automatically; but the speed of the messages and deleting message are almost the same. I've disabled the outbound email and put the box out of the network.

Please advise..... really need a solution and help.

Currently my emails running on a backup link and thanks God, all of my stores are also on a different box.

cheers.

0
Comment
Question by:DAHITSydney
3 Comments
 
LVL 7

Expert Comment

by:Rammestein
ID: 24212416
Delete the temp tables.
http://support.microsoft.com/kb/906557
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24217989
Unless the messages are going to your own domain, then if it was a machine infected inside your network then the messages would not appear in the Exchange queues.

These two blog postings will explain why that is not the case.
http://blog.sembee.co.uk/archive/2009/02/28/93.aspx
http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

ESM is notorious for being unable to show the true extent of the queues after the server has been abused, so even after disconnecting the server from the internet, messages will continue to appear in the queues. That is simply while Exchange processes the messages. When a spammer has been able to compromise a server they will send 1000s of messages through it.

My spam cleanup article will help you find out how the server was compromised and clean up the mess: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 2

Accepted Solution

by:
DAHITSydney earned 0 total points
ID: 24238388
Problem solved; it's a virus on the machine. using sysclean from trend micro.

thanks all.

cheers.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question