Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

exchange system manager....lots of mail in the queue

Posted on 2009-04-23
38
Medium Priority
?
462 Views
Last Modified: 2012-05-06
please see the picture i am attaching...i have no idea why there are so many, and these are not any domains that we are sending to.

can anyone shed some light on this?

thanks.

exchange 2003 on a 2003 server OS
esm.jpg
0
Comment
Question by:tomdlgns
  • 22
  • 9
  • 5
  • +1
38 Comments
 
LVL 2

Expert Comment

by:scottbortis
ID: 24217951
It looks like you might be an open relay.  Check your settings under your server name, protocols, smtp, smtp virtual server
Look at the second tab over "access" and check out relay restrictions.  It should be set to "Only the list below" and that list should be blank.  there should be no check box checked in that sheet either unless you are intentionally relaying.
0
 

Author Comment

by:tomdlgns
ID: 24218666
this is where i went to...

i got to the protocols like you said, but i right clicked on the default connection and went to properties.

from there, i went to access tab, then i didn't see an access tab, but i do see an access button.

so i clicked that and i attached the picture, please refer to that.

hmmm, strange.


open-relay.JPG
0
 

Author Comment

by:tomdlgns
ID: 24218672
i cut out the rest of the internal IP, please don't assume it is just 192
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 2

Assisted Solution

by:scottbortis
scottbortis earned 80 total points
ID: 24218815
I you have another mailserver, that should be the IP address.  If this is your only mail/smtp server for the organization, you should clear out the checkbox for the "Allow all...." and either remove the granted computer or ensure it is the only other server you want to relay mail.  If you only have the 1 mail server, it should be blank and the box should be unchecked.  

Like so:
relay.JPG
0
 

Author Comment

by:tomdlgns
ID: 24219088
yes, this is the only exchange server on my network.  i went ahead and unchecked the box and took out the ip of the exchange server.

now, how do i delete all these queued emails?

i suppose i could just leave it alone and they should go away after the 10 day mark, but i don't like seeing them there.  i cant highlight them all and delete them.  that isn't working.

0
 

Author Comment

by:tomdlgns
ID: 24219106
also, how about the authentication button, under the virtual smtp properties, mine looks like this.

see attachment.
auth.JPG
0
 
LVL 65

Accepted Solution

by:
Mestha earned 460 total points
ID: 24220672
You need my spam cleanup article
http://www.amset.info/exchange/spam-cleanup.asp

That will help you to identify the problem and clean it up.
Your authentication settings are fine - if you turn off anonymous then you will not receive any email.

Simon.
0
 

Author Comment

by:tomdlgns
ID: 24220900
so my server was not an open relay but i have spam somewhere?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24223140
Not necessarily. Have you tested for open relay?
If you have then it could be an authenticated relay, or an NDR attack. I very much doubt if it is an internal machine that is compromised, the server is being abused directly.

Simon.
0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24223175
visit www.mxtoolbox.com to check your server to be an open relay and to do some other useful checks...
0
 

Author Comment

by:tomdlgns
ID: 24226042
how do i prevent NDR attacks?
0
 

Author Comment

by:tomdlgns
ID: 24226058
OK - This server is not an open relay.

that's what mxtoolbox shows, which is good.

also, i have been to mxtoolbox in the past and i noticed that it never listed me as an open relay.

so this must be an NDR attack, but i would like to know how to stop that and/or prevent it.

thanks guys.
0
 

Author Comment

by:tomdlgns
ID: 24226098
here is another screen shot with the message open.

also, i saw the link above, for using telnet and doing some work that way, but will that clear all these messages from the queue?

thanks again all
esm2.JPG
0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226239
If you read the excellent post from mestha carefully (definitely didn't, sorry :) and the article provided here
http://www.amset.info/exchange/spam-cleanup.asp
then you should see the section =Cleaning up the Server= in it.
0
 

Author Comment

by:tomdlgns
ID: 24226268
yeah, i didnt read the article yet.  i saved it in my favorites, but i didnt have a chance to read it.

i should have rephrased my question.

i wanted to make sure that article had some cleaning instructions in it and not just preventative stuff.

is this something that i can do in a live environment?  or should i wait until after hours?

thanks guys.
0
 
LVL 6

Assisted Solution

by:MikeGGG
MikeGGG earned 460 total points
ID: 24226331
I think you should react very quickly, otherwise you will be putted into blacklist by antispam-server.
You can quickly clear all queues so:
Alternative Queue Clean Up Method

If you have a very large number of messages, then there is a command line tool that you can get from Microsoft.

ftp://ftp.microsoft.com/pss/Tools/

Then go in to the folders: Exchange Support Tools / Aqadmcli
(Due to the use of spaces in the folder names, a direct link isn't possible)

After downloading the utility use the following command to clear all the queues.

aqadmcli delmsg flags=all


but it will really clear all messages from queue no matter spam or not.
0
 

Author Comment

by:tomdlgns
ID: 24226353
got it...

before i start, what is the difference between the tool you posted from MS and the walk through in this link?

http://www.amset.info/exchange/spam-cleanup.asp

0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226387
The difference is, with this command-line tool you will be able to clear all queries at once.
When you're under attack but not see the source of attack yet, it is your second step after closing port 25 on your firewall :)
0
 

Author Comment

by:tomdlgns
ID: 24226480
aqadmcli delmsg flags=all

tells me it is an unknown command.

0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226535
you should put this utility to a directory listed in your PATH variable :)
0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226563
again.
To empty out an SMTP queue using AQADMCLI, run it from the command line and type in the following commands:
setserver <servername> (it is AFAIK not necessary if you have only one server)
delmsg flags=all
quit

0
 

Author Comment

by:tomdlgns
ID: 24226678
ok, all the messages are deleted, but the icons are still in the queue.  however, i think those will delete themselves shortly...

thanks!
0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226698
you are welcome ;-)
0
 

Author Comment

by:tomdlgns
ID: 24226823
dang, i am still getting hit.

i just saw another one pop in there.

0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226846
then go back to this article
http://www.amset.info/exchange/spam-cleanup.asp
and read the section
Check Whether an Authenticated User is Relaying
0
 

Author Comment

by:tomdlgns
ID: 24226863
ok, reading now.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24226961
I provided more than one solution for flushing out the queues. The script method would delete everything, however if you went through the GUI then it would give you the opportunity to "save" something that wasn't spam.

The article was written to take you through the full process, because there is no point cleaning up the server if you haven't identified how the attack is taking place. While prevention is better than cure, you need to stop the spammer abusing the server.

I usually suggest blocking port 25 on the firewall so that the traffic from outside is stopped.

Simon.
0
 
LVL 6

Expert Comment

by:MikeGGG
ID: 24226982
Agreed, closing port 25 is the first thing that should be done in such case.
0
 

Author Comment

by:tomdlgns
ID: 24227019
ok, dont get me wrong guys, i am trying to figure out the source as well.

however, i wanted to get those 2000 queues gone to simplify the view each time i opened up the queue.

thanks for the links, i am working on this now.

i will update soon.
0
 

Author Comment

by:tomdlgns
ID: 24227943
i am not sure if there is any relation, but i got this in my email while i was out getting lunch.

We have determined your SMTP server to be unreachable via SMTP.

MXToolBox.com detected the change at: 4/24/2009 1:02:26 PM CT
Object reference not set to an instance of an object.

DomainName: xxxxxxxxxxxxxx.com
IP Address: xxx.xxx.xxx.xxx
Server Type: Banner Supressed
Last Banner: Object reference not set to an instance of an object.

i have been using mxtoolbox.com to monitor my exchange server for over a year now and i have gotten this message a handful of times.

my server is up and i have sent and received email, so i am not sure why i am getting this message.

again, not sure if it is related to the problem with having all those queues

thanks.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24229777
If your server is being thrashed, then there is a good chance that the server will be unavailable at times, simply because of the amount of traffic flowing through it.

Simon.
0
 

Author Comment

by:tomdlgns
ID: 24229833
Well port 25 is closed, which was open. I forgot that I opened it a while ago to allow access to one of mt off site workers. Then I got a vpn at that location and forgot to close port 25. No more queued spam emails in the last few hours.

Also, I setup loging to the max level to see if an authenticated user has been compromised.

Thanks. Anything else I should try?
0
 

Author Comment

by:tomdlgns
ID: 24229935
here is one of the errors that popped up in the event log earlier this afternoon

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "6x.x0.xxx.x2" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx".  This will probably cause the connection to fail.
0
 

Author Comment

by:tomdlgns
ID: 24229938
i got an email at 1pm saying the server is down, then at 3pm the email said it was up, then at 5pm i got an email saying the server was down.

the event error i posted above came in at 310pm
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24232337
If you close port 25 completely then you will not receive any email at all. The port 25 closure is while you clean up the server.
During the clean up phase, messes in the event log are normal and to be expected. You need to get the queues clean and then setup the server correctly for external email.

Simon.
0
 

Author Comment

by:tomdlgns
ID: 24232351
i use message labs to scan incoming email for spyware and viruses.

they give me 8 ip address ranges.

port 25 is open for those ranges only.

i had a separate rule set in my firewall to allows port 25 to be open for * or any ip address.  that is the port i closed.

so summarize, i had 9 smtp (25) ports open.  now i have 8 open.
0
 

Author Comment

by:tomdlgns
ID: 24241305
hey guys...

just an update.  it looks like all of those queued emails were coming in from the open port 25 that i had.

i hope nobody is confused about my explanation of the filtered IP Addresses.

just to let you all know, since the help from everyone in here and the article that was posted, i was able to resolve the issue.  

i would like to leave the thread untouched for a few more hours just to confirm that everything is as it should be right now.

we have had no problems receiving email.
0
 

Author Comment

by:tomdlgns
ID: 24246980
thanks again, points assigned.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question