SMTP Stops Internet from working

Posted on 2009-04-25
Last Modified: 2013-12-04
Windows 2003 R2 Svr, Exchange 2003 Svr., DSL connection all nestled nice & securly behing a SonicWall Pro2040 (or so I thought). Things were running fine for quite sometime, then, over the past few days, the Intenret started to slow down, & yesterday it quit working all toghter, no replys back when a ping was done to an outside name server. I have narrowed the problem down to the SMTP service. If I disable that in Exchange, the Internet comes back up & seems to be working fine. Responce times are a consistant 23, 58, 79, 23ms, as they should be. As soon as I enable the SMTP service my pings almost instantly show signs of a problem with responce times as follows; 384ms, 2800ms, 3900ms, time out, time out, time out.. and all bandwidth seems to be comsumed by the SMTP service & poof, no more Internet for any of my internal clients. Few more details to help in determining the problem.. Both Server & Exchange are completely up-to-date with MS updates. We are running Symantec Enterprise Ed. v.10.1 & it is up-to-date & functioning fine. This is not an open relay, but we do have POP3 running as we need to serve some remote people. The SonicWall Firewall seems to be as secure as it can be, & I actually have all incoming SMTP traffic tightened down to only let this type of traffice take place on a certian set of subnets. The reason for that is we use a third party Anti-SPAM/AV filtering service called MXLogic. All MXrecords point to MXLogic & they get hit with all the Crap mail & then the good filtered mail gets sent along its way to our Public IP from MXLogic. It almost seems as though I am getting hit by someone inside the network... Or could there be a bunk email stuck in a que somewhere? Any thoughts or suggestions would be greatly appreciated. Thanks.
Question by:ZappaMang
    LVL 4

    Assisted Solution

    I am not an email expert, however, if I were tasked with this problem, this is what I would start with.
    1. Enable the SMTP, but block your external Spam company. Does the problem persist?
    Do you have a NetFlow or sFlow enabled decive that connects your mail server, internet and clients? If so, I would download the free version of Scrutinizer:
    This program lets you see traffic consumption, src and dst on any of 5 interfaces(free version).
    LVL 15

    Assisted Solution

    If your internet dies when smtp is started, then you should check your queues to see what is waiting for outbound. You could have a virus infected workstation or someone getting into your server. Try disabling outbound email, then starting smtp. DSL is not as fat a pipe, so you would notice it more than on cable. You should also check the logs and post any warnings or errors you find.
    LVL 10

    Assisted Solution

    I agree with tntmax, probably an infected PC filling your outbound queues with spam.

    How to Delete Messages from Queues in Exchange Server 2003

    I'm sure you have some jammed-up legitimate mail also waiting in the queues, so be careful what you delete.
    LVL 15

    Accepted Solution


    The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

    1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

    2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

    3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

    4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance,

    5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

    6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

    You should use a combination of sniffers and port scanners to detect spam bots, Check the following

    1) Wireshark, download it from (

    You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP ( from some vendor like NetOptics (

    2) Another sniffing tool is Tcpick (linux based), download it from (

    Here how to sniff port 25:

    #tcpick -i eth0 -C -bCU -T1 "port 25"

    3) Nmap is the best port scanning tool, download it from (

    here how to scan for port 25 (change with your network range)

    #nmap -sS -p 25

    4) TCPDump is another good sniffer, download it from (

    Here how to sniff port 25

    #tcpdump -i eth0 port 25

    A Symantec Certified Specialist @ your service

    Author Closing Comment

    Thanks for the responces everyone. I got things kinda of straightened out. I think the main problem was a user had flooded the mail queue with legit emails. There where just 20 or so emails that were about 8meg each. I thought it was kind of strange how the Internet pipe was being completely consumed like that though.

    Author Comment

    I re-opened this question in a new post. The same problem occured on Monday... As soon as one particular user started to send out a packet of info to legit external recipients... BAM... Internet dies & mail queue is choking trying to send all the mail that it is processing. Hmm.. Not too sure if it is an SMTP thing or a strange issue with the DSL line. Please look at my other quesiton & help if you could.  

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now