• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 564
  • Last Modified:

SMTP Stops Internet from working

Windows 2003 R2 Svr, Exchange 2003 Svr., DSL connection all nestled nice & securly behing a SonicWall Pro2040 (or so I thought). Things were running fine for quite sometime, then, over the past few days, the Intenret started to slow down, & yesterday it quit working all toghter, no replys back when a ping was done to an outside name server. I have narrowed the problem down to the SMTP service. If I disable that in Exchange, the Internet comes back up & seems to be working fine. Responce times are a consistant 23, 58, 79, 23ms, as they should be. As soon as I enable the SMTP service my pings almost instantly show signs of a problem with responce times as follows; 384ms, 2800ms, 3900ms, time out, time out, time out.. and all bandwidth seems to be comsumed by the SMTP service & poof, no more Internet for any of my internal clients. Few more details to help in determining the problem.. Both Server & Exchange are completely up-to-date with MS updates. We are running Symantec Enterprise Ed. v.10.1 & it is up-to-date & functioning fine. This is not an open relay, but we do have POP3 running as we need to serve some remote people. The SonicWall Firewall seems to be as secure as it can be, & I actually have all incoming SMTP traffic tightened down to only let this type of traffice take place on a certian set of subnets. The reason for that is we use a third party Anti-SPAM/AV filtering service called MXLogic. All MXrecords point to MXLogic & they get hit with all the Crap mail & then the good filtered mail gets sent along its way to our Public IP from MXLogic. It almost seems as though I am getting hit by someone inside the network... Or could there be a bunk email stuck in a que somewhere? Any thoughts or suggestions would be greatly appreciated. Thanks.
4 Solutions
I am not an email expert, however, if I were tasked with this problem, this is what I would start with.
1. Enable the SMTP, but block your external Spam company. Does the problem persist?
Do you have a NetFlow or sFlow enabled decive that connects your mail server, internet and clients? If so, I would download the free version of Scrutinizer: http://www.plixer.com/support/download_request.php
This program lets you see traffic consumption, src and dst on any of 5 interfaces(free version).
If your internet dies when smtp is started, then you should check your queues to see what is waiting for outbound. You could have a virus infected workstation or someone getting into your server. Try disabling outbound email, then starting smtp. DSL is not as fat a pipe, so you would notice it more than on cable. You should also check the logs and post any warnings or errors you find.
I agree with tntmax, probably an infected PC filling your outbound queues with spam.

How to Delete Messages from Queues in Exchange Server 2003

I'm sure you have some jammed-up legitimate mail also waiting in the queues, so be careful what you delete.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!


The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:


4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).

2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change with your network range)

#nmap -sS -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25

A Symantec Certified Specialist @ your service
ZappaMangAuthor Commented:
Thanks for the responces everyone. I got things kinda of straightened out. I think the main problem was a user had flooded the mail queue with legit emails. There where just 20 or so emails that were about 8meg each. I thought it was kind of strange how the Internet pipe was being completely consumed like that though.
ZappaMangAuthor Commented:
I re-opened this question in a new post. The same problem occured on Monday... As soon as one particular user started to send out a packet of info to legit external recipients... BAM... Internet dies & mail queue is choking trying to send all the mail that it is processing. Hmm.. Not too sure if it is an SMTP thing or a strange issue with the DSL line. Please look at my other quesiton & help if you could.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now