GreenmanITSupport
asked on
mail.que file goes from 0 to 4.9gig in about 40 minutes
This is quite baffeling, it started yesterday, but the mail.que file fills up to 4.9gig then crashes the MSExchangeTransport service. This is a very small orginization, maybe 40 mailboxes all together. The queue viewer is empty most of the time during this 40 minutes, there are a few messages going in and out, but nothing major.
This is the process I follow to bring the Transport service back online:
http://technet.microsoft.com/en-us/library/bb124343.aspx
I was cirious, so I pulled the internet connection for about 5 minutes, and during that time the mail.que file was still constantly increasing.
Also, the edgetransport service is going crazy as well. (see screen captures 3 minutes apart)
Attached is my edgetransport.exe.config
Aside from spending the long weekend rebuilding the queue file every 40 minutes, what can I do?
Edge2.bmp
This is the process I follow to bring the Transport service back online:
http://technet.microsoft.com/en-us/library/bb124343.aspx
I was cirious, so I pulled the internet connection for about 5 minutes, and during that time the mail.que file was still constantly increasing.
Also, the edgetransport service is going crazy as well. (see screen captures 3 minutes apart)
Attached is my edgetransport.exe.config
Aside from spending the long weekend rebuilding the queue file every 40 minutes, what can I do?
<configuration>
<runtime>
<gcServer enabled="true" />
<generatePublisherEvidence enabled="false" />
</runtime>
<appSettings>
<add key="AgentLogEnabled" value="true" />
<add key="ResolverRetryInterval" value="30" />
<add key="DeliverMoveMailboxRetryInterval" value="30" />
<add key="ResolverLogLevel" value="Disabled" />
<add key="ExpansionSizeLimit" value="1000" />
<add key="MaxIdleTimeBeforeResubmit" value="12:00:00" />
<add key="MailboxDeliveryQueueRetryInterval" value="00:05:00" />
<add key="QueueGlitchRetryInterval" value="00:01:00" />
<add key="QueueGlitchRetryCount" value="4" />
<add key="PFReplicaAgeThresholdHours" value="48" />
<add key="DeferredReloadTimeoutSeconds" value="5" />
<add key="MaxDeferredNotifications" value="20" />
<add key="MaxQueueViewerQueryResultCount" value="250000" />
<add key="RoutingConfigReloadInterval" value="12:00:00" />
<add key="DumpsterAllMail" value="false" />
<add key="DumpsterAllowDuplicateDelivery" value="false" />
<add key="DumpsterDeletionDelayAfterStartup" value="00:02:00" />
<add key="DatabaseCheckPointDepthMax" value="20971520" />
<add key="DatabaseMaxCacheSize" value="134217728" />
<add key="DatabaseCacheFlushStart" value="3" />
<add key="DatabaseCacheFlushStop" value="5" />
<add key="QueueDatabaseBatchSize" value="40" />
<add key="QueueDatabaseBatchTimeout" value="100" />
<add key="QueueDatabaseMaxConnections" value="4" />
<add key="QueueDatabaseLoggingFileSize" value="5242880" />
<add key="QueueDatabaseLoggingBufferSize" value="524288" />
<add key="QueueDatabaseMaxBackgroundCleanupTasks" value="32" />
<add key="QueueDatabaseOnlineDefragEnabled" value="true" />
<add key="QueueDatabaseOnlineDefragSchedule" value="1:00:00" />
<add key="QueueDatabaseOnlineDefragTimeToRun" value="3:00:00" />
<add key="QueueDatabasePath" value="d:\queue" />
<add key="QueueDatabaseLoggingPath" value="d:\queue" />
<add key="IPFilterDatabasePath" value="C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\IpFilter" />
<add key="IPFilterDatabaseLoggingPath" value="C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\IpFilter" />
<add key="TemporaryStoragePath" value="C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Temp" />
<add key="EnableResourceMonitoring" value="false" />
<add key="ResourceMonitoringInterval" value="00:00:02" />
<add key="PercentageDatabaseDiskSpaceUsedHighThreshold" value="0" />
<add key="PercentageDatabaseDiskSpaceUsedMediumThreshold" value="0" />
<add key="PercentageDatabaseDiskSpaceUsedNormalThreshold" value="0" />
<add key="PercentageDatabaseLoggingDiskSpaceUsedHighThreshold"
value="0" />
<add key="PercentageDatabaseLoggingDiskSpaceUsedMediumThreshold"
value="0" />
<add key="PercentageDatabaseLoggingDiskSpaceUsedNormalThreshold"
value="0" />
<add key="PercentagePrivateBytesUsedHighThreshold" value="0" />
<add key="PercentagePrivateBytesUsedMediumThreshold" value="0" />
<add key="PercentagePrivateBytesUsedNormalThreshold" value="0" />
<add key="VersionBucketsHighThreshold" value="200" />
<add key="VersionBucketsMediumThreshold" value="120" />
<add key="VersionBucketsNormalThreshold" value="80" />
<add key="PercentagePhysicalMemoryUsedLimit" value="94" />
<add key="DehydrateMessagesUnderMemoryPressure" value="true" />
<add key="VersionBucketsHistoryDepth" value="3" />
<add key="PrivateBytesHistoryDepth" value="30" />
<add key="CrashOnStopTimeout" value="false" />
<add key="DnsFaultTolerance" value="Lenient" />
<add key="PriorityQueuingEnabled" value="false" />
<add key="MaxPerDomainHighPriorityConnections" value="3" />
<add key="MaxPerDomainNormalPriorityConnections" value="15" />
<add key="MaxPerDomainLowPriorityConnections" value="2" />
<add key="HighPriorityMessageExpirationTimeout" value="8:00:00" />
<add key="NormalPriorityMessageExpirationTimeout" value="2.00:00:00" />
<add key="LowPriorityMessageExpirationTimeout" value="2.00:00:00" />
<add key="HighPriorityDelayNotificationTimeout" value="00:30:00" />
<add key="NormalPriorityDelayNotificationTimeout" value="4:00:00" />
<add key="LowPriorityDelayNotificationTimeout" value="8:00:00" />
<add key="MaxHighPriorityMessageSize" value="250KB" />
<add key="ByteEncoderTypeFor7BitCharsets" value="1" />
</appSettings>
<system.net>
<connectionManagement>
<add address="*" maxconnection="10" />
</connectionManagement>
<defaultProxy>
<proxy usesystemdefault="false" autoDetect="true" />
</defaultProxy>
</system.net>
</configuration>
Edge2.bmp
Gunter17
Take the server off the network and see if it still fills.
ASKER
I'll see if someone can let me back in, they all left for the long weekend now, I did run netstat on all of the computers that are onsite, there weren't any odd connections, though the netstat on the server 2008 box with exchange on it had maybe 30 or 40 open tcp connections, all of the clients are using RPC over HTTP, half of them are iPhones.
ASKER
Still happening, isolated the exchange server and the DC, the mail.que file is still climbing at a crazy rate... what now?
http://forums.msexchange.org/m_1800502066/mpage_1/key_/tm.htm#1800502066
Post #7 says this is a circular logging enabled Exchange database.
It is very interesting that Queue Viewer is empty.. I actually just checked my Exchange 2007 server, and the mail.que file is only 82mb
This is very interesting... Is the server on the latest SP?
This is what my queue folder looks like.. very different from yours.
cc02.jpg
Post #7 says this is a circular logging enabled Exchange database.
It is very interesting that Queue Viewer is empty.. I actually just checked my Exchange 2007 server, and the mail.que file is only 82mb
This is very interesting... Is the server on the latest SP?
This is what my queue folder looks like.. very different from yours.
cc02.jpg
ASKER
So, this looks like some sort of Virus or SpamBot type action, attaches is a CSV file for 11 minutes from the EXMon utility, half way though, the mail.que file started to increase along with the page/file in the exchange performance monitor, the ? user is taking up so much and ? is what the Exmon util puts in the report. the 10.1.1.4 address is one of the two adapter addresses for the exchange box (where the ? user is connecting from, but it looks like everyone is connecting through the exchange box as everyone is using RPC over HTTP via either outlook 07 or an iPhone.
I did install AVG SBS edition and scanned the exchange box, it found nothing (though it broke the transport service) so it has been removed since.
Any ideas on how to track this one down would be really helpful.
11-50-Sunday.csv
I did install AVG SBS edition and scanned the exchange box, it found nothing (though it broke the transport service) so it has been removed since.
Any ideas on how to track this one down would be really helpful.
11-50-Sunday.csv
Could it possibly be related to the server generating NDR reports?
The "Bytes Out" part on the ? User is questionable.. Does it actually say '?' as the user?
Since we've isolated the server off the internet, and off the internal network it definately is the server generating this..
Are there any odd processess running on the box?
The "Bytes Out" part on the ? User is questionable.. Does it actually say '?' as the user?
Since we've isolated the server off the internet, and off the internal network it definately is the server generating this..
Are there any odd processess running on the box?
ASKER
? is what the exmon program says...
I'll try turning off NDR's
for exchange to work it needs to contact the AD server as well, so it could be either server?
I'll try turning off NDR's
for exchange to work it needs to contact the AD server as well, so it could be either server?
ASKER
So, disabling NDR's didn't do it (unless I missed something) I removed the check box under the properties of the default remote domains that says "Allow Non Delivery Reports"
Is there any way to see whats in the mail.que file that's filling it up?
Is there any way to see whats in the mail.que file that's filling it up?
Hopefully one of these can shed some light on this for you:
http://technet.microsoft.com/en-us/library/bb123647%28EXCHG.65%29.aspx
http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/ab0622ff-a5d6-4c5d-8654-623b6a164314
http://technet.microsoft.com/en-us/library/bb125022.aspx
Step by Step Info on Que Viewer:
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-message-queues.html
http://technet.microsoft.com/en-us/library/bb123647%28EXCHG.65%29.aspx
http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/ab0622ff-a5d6-4c5d-8654-623b6a164314
http://technet.microsoft.com/en-us/library/bb125022.aspx
Step by Step Info on Que Viewer:
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-message-queues.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What tool did they use to find this huge email?
I'm having the same exact problem. Can you please explain what MS did to remove the large email from the store?