exchange system manager....lots of mail in the queue

It looks like you might be an open relay.  Check your settings under your server name, protocols, smtp, smtp virtual server
Look at the second tab over "access" and check out relay restrictions.  It should be set to "Only the list below" and that list should be blank.  there should be no check box checked in that sheet either unless you are intentionally relaying.

this is where i went to...

i got to the protocols like you said, but i right clicked on the default connection and went to properties.

from there, i went to access tab, then i didn't see an access tab, but i do see an access button.

so i clicked that and i attached the picture, please refer to that.

hmmm, strange.


open-relay.JPG

i cut out the rest of the internal IP, please don't assume it is just 192

yes, this is the only exchange server on my network.  i went ahead and unchecked the box and took out the ip of the exchange server.

now, how do i delete all these queued emails?

i suppose i could just leave it alone and they should go away after the 10 day mark, but i don't like seeing them there.  i cant highlight them all and delete them.  that isn't working.

also, how about the authentication button, under the virtual smtp properties, mine looks like this.

see attachment.
auth.JPG

so my server was not an open relay but i have spam somewhere?

Not necessarily. Have you tested for open relay?
If you have then it could be an authenticated relay, or an NDR attack. I very much doubt if it is an internal machine that is compromised, the server is being abused directly.

Simon.

visit www.mxtoolbox.com to check your server to be an open relay and to do some other useful checks...

how do i prevent NDR attacks?

OK - This server is not an open relay.

that's what mxtoolbox shows, which is good.

also, i have been to mxtoolbox in the past and i noticed that it never listed me as an open relay.

so this must be an NDR attack, but i would like to know how to stop that and/or prevent it.

thanks guys.

here is another screen shot with the message open.

also, i saw the link above, for using telnet and doing some work that way, but will that clear all these messages from the queue?

thanks again all
esm2.JPG

If you read the excellent post from mestha carefully (definitely didn't, sorry :) and the article provided here
http://www.amset.info/exchange/spam-cleanup.asp
then you should see the section =Cleaning up the Server= in it.

yeah, i didnt read the article yet.  i saved it in my favorites, but i didnt have a chance to read it.

i should have rephrased my question.

i wanted to make sure that article had some cleaning instructions in it and not just preventative stuff.

is this something that i can do in a live environment?  or should i wait until after hours?

thanks guys.

got it...

before i start, what is the difference between the tool you posted from MS and the walk through in this link?

http://www.amset.info/exchange/spam-cleanup.asp

The difference is, with this command-line tool you will be able to clear all queries at once.
When you're under attack but not see the source of attack yet, it is your second step after closing port 25 on your firewall :)

aqadmcli delmsg flags=all

tells me it is an unknown command.

you should put this utility to a directory listed in your PATH variable :)

again.
To empty out an SMTP queue using AQADMCLI, run it from the command line and type in the following commands:
setserver <servername> (it is AFAIK not necessary if you have only one server)
delmsg flags=all
quit

ok, all the messages are deleted, but the icons are still in the queue.  however, i think those will delete themselves shortly...

thanks!

you are welcome ;-)

dang, i am still getting hit.

i just saw another one pop in there.

then go back to this article
http://www.amset.info/exchange/spam-cleanup.asp
and read the section
Check Whether an Authenticated User is Relaying

ok, reading now.

I provided more than one solution for flushing out the queues. The script method would delete everything, however if you went through the GUI then it would give you the opportunity to "save" something that wasn't spam.

The article was written to take you through the full process, because there is no point cleaning up the server if you haven't identified how the attack is taking place. While prevention is better than cure, you need to stop the spammer abusing the server.

I usually suggest blocking port 25 on the firewall so that the traffic from outside is stopped.

Simon.

Agreed, closing port 25 is the first thing that should be done in such case.

ok, dont get me wrong guys, i am trying to figure out the source as well.

however, i wanted to get those 2000 queues gone to simplify the view each time i opened up the queue.

thanks for the links, i am working on this now.

i will update soon.

i am not sure if there is any relation, but i got this in my email while i was out getting lunch.

We have determined your SMTP server to be unreachable via SMTP.

MXToolBox.com detected the change at: 4/24/2009 1:02:26 PM CT
Object reference not set to an instance of an object.

DomainName: xxxxxxxxxxxxxx.com
IP Address: xxx.xxx.xxx.xxx
Server Type: Banner Supressed
Last Banner: Object reference not set to an instance of an object.

i have been using mxtoolbox.com to monitor my exchange server for over a year now and i have gotten this message a handful of times.

my server is up and i have sent and received email, so i am not sure why i am getting this message.

again, not sure if it is related to the problem with having all those queues

thanks.

If your server is being thrashed, then there is a good chance that the server will be unavailable at times, simply because of the amount of traffic flowing through it.

Simon.

Well port 25 is closed, which was open. I forgot that I opened it a while ago to allow access to one of mt off site workers. Then I got a vpn at that location and forgot to close port 25. No more queued spam emails in the last few hours.

Also, I setup loging to the max level to see if an authenticated user has been compromised.

Thanks. Anything else I should try?

here is one of the errors that popped up in the event log earlier this afternoon

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "6x.x0.xxx.x2" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx".  This will probably cause the connection to fail.

i got an email at 1pm saying the server is down, then at 3pm the email said it was up, then at 5pm i got an email saying the server was down.

the event error i posted above came in at 310pm

If you close port 25 completely then you will not receive any email at all. The port 25 closure is while you clean up the server.
During the clean up phase, messes in the event log are normal and to be expected. You need to get the queues clean and then setup the server correctly for external email.

Simon.

i use message labs to scan incoming email for spyware and viruses.

they give me 8 ip address ranges.

port 25 is open for those ranges only.

i had a separate rule set in my firewall to allows port 25 to be open for * or any ip address.  that is the port i closed.

so summarize, i had 9 smtp (25) ports open.  now i have 8 open.

hey guys...

just an update.  it looks like all of those queued emails were coming in from the open port 25 that i had.

i hope nobody is confused about my explanation of the filtered IP Addresses.

just to let you all know, since the help from everyone in here and the article that was posted, i was able to resolve the issue.  

i would like to leave the thread untouched for a few more hours just to confirm that everything is as it should be right now.

we have had no problems receiving email.

thanks again, points assigned.