Member_2_3551497
asked on
SBS 2008 sending excessive internet traffic
I have a newly installed SBS 2008 Standard server on a Dell PowerEdge Quad Core Server, 2 x 640Gb SAS in Raid1 with 8Gb Ram. The server has been running fine for a week but in the last two days it is sending excessive internet traffice to the point where the internet is unsable. When I disconnect the server frm the network I get fast 7Mb d/s and 512Kb us ADSL but with the server plugged in I get very slow if any internet on the server and all 10 clients. I have check DNS etc and I can ping URL''s no problem. When I try to RDP to the server externally it shows me the desktop then disconnects. I have also run the SBS 2008 Best Practice Advisor and corrected the few advisory items it found. I also made sure it has the latest Dell drivers and have tried removing the AV to see if it had any effect which it did not.
Any ideas appreciated before I have to fresh install and restore for backup. Unfortunatley I am time pushed (as always) on this one!
Any ideas appreciated before I have to fresh install and restore for backup. Unfortunatley I am time pushed (as always) on this one!
first check, what traffic the server sends and recieves.
try to take a packetdump with wireshark or something.
maybe the wsus is getting all its updates, since you just installed it.
just to get to know:
when you plug out the server, do you reconfigure DNS on the clients?
dont you use SBS as DHCP/DNS-Server?
try to take a packetdump with wireshark or something.
maybe the wsus is getting all its updates, since you just installed it.
just to get to know:
when you plug out the server, do you reconfigure DNS on the clients?
dont you use SBS as DHCP/DNS-Server?
ok phil, you have been faster :-)
netstat is a good idea. see also ftp connections.
maybe someone is borrowing some storage from you.
what ports do you forward to the sbs from your firewll?
netstat is a good idea. see also ftp connections.
maybe someone is borrowing some storage from you.
what ports do you forward to the sbs from your firewll?
ASKER
OK I am onsite now. Usedwireshark and saw it was mostly SMTP traffic. When I stop the Microsoft Exchange Trasport service I get normal internet service and everything works. So does this suggest we are being used as a rely?
I have ports 443, 1723 and 25 open on the firewall forwarding to the SBS server. Any ideas?
I have ports 443, 1723 and 25 open on the firewall forwarding to the SBS server. Any ideas?
ok, that might be so.
see the message-tracking to check what message have been send.
maybe you are used as open relay, maybe one of your clients is sending the messages to your exchange....
http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part1.html
http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part2.html
see the message-tracking to check what message have been send.
maybe you are used as open relay, maybe one of your clients is sending the messages to your exchange....
http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part1.html
http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part2.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thankyou. Its was a user sending out 1000's of mailshot emails each of 6Mb. I have deleted them from the queue and hey presto all is back. Problem solved.
Managing computer systems would be so much easier if it wasn't for users wouldn't it?
If you run the command "netstat -bo" this will show you all connections together with the process that owns it. You may find that you have a virus/spyware or that your exchange smtp server is an open relay and being "hijacked" by nefarious people...
You may want to pipe the output to a file "netstat -bo > output.txt" then look at the file in notepad as there will likely be lots of entries.
You can always post the output if you need some help reading it.