SBS 2008 sending excessive internet traffic

I have a newly installed SBS 2008 Standard server on a Dell PowerEdge Quad Core Server, 2 x 640Gb SAS in Raid1 with 8Gb Ram.  The server has been running fine for a week but in the last two days it is sending excessive internet traffice to the point where the internet is unsable.  When I disconnect the server frm the network I get fast 7Mb d/s and 512Kb us ADSL but with the server plugged in I get very slow if any internet on the server and all 10 clients.  I have check DNS etc and I can ping URL''s no problem.  When I try to RDP to the server externally it shows me the desktop then disconnects.    I have also run the SBS 2008 Best Practice Advisor and corrected the few advisory items it found.  I also made sure it has the latest Dell drivers and have tried removing the AV to see if it had any effect which it did not.  

Any ideas appreciated before I have to fresh install and restore for backup.  Unfortunatley I am time pushed (as always) on this one!

LVL 1
betoniAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

philetaylorCommented:
Firstly on the server I would check what process is causing the connections.
If you run the command "netstat -bo" this will show you all connections together with the process that owns it. You may find that you have a virus/spyware or that your exchange smtp server is an open relay and being "hijacked" by nefarious people...

You may want to pipe the output to a file "netstat -bo > output.txt" then look at the file in notepad as there will likely be lots of entries.

You can always post the output if you need some help reading it.
0
deibelCommented:
first check, what traffic the server sends and recieves.

try to take a packetdump with wireshark or something.

maybe the wsus is getting all its updates, since you just installed it.

just to get to know:
when you plug out the server, do you reconfigure DNS on the clients?
dont you use SBS as DHCP/DNS-Server?
0
deibelCommented:
ok phil, you have been faster :-)

netstat is a good idea. see also ftp connections.
maybe someone is borrowing some storage from you.

what ports do you forward to the sbs from your firewll?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

betoniAuthor Commented:
OK I am onsite now.  Usedwireshark and saw it was mostly SMTP traffic.   When I stop the Microsoft Exchange Trasport service I get normal internet service and everything works.  So does this suggest we are being used as a rely?
I have ports 443, 1723 and 25 open on the firewall forwarding to the SBS server.  Any ideas?
0
deibelCommented:
ok, that might be so.

see the message-tracking to check what message have been send.
maybe you are used as open relay, maybe one of your clients is sending the messages to your exchange....

http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part1.html
http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part2.html
0
philetaylorCommented:
Yes that does suggest you are an open relay.

Have you changed any of the SMTP settings in Exchange? The default is actually pretty secure.

I would check the Exchange queues (Exchange Management Console/Toolbox/Queue Viewer) to make sure that it is spam (and not an employee sending a 10MB mailshot to 50000 people as I once had)
 
I would also check whether you are actually an open relay with http://www.abuse.net/relay.html you must have smtp enabled for this though!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
betoniAuthor Commented:
Thankyou.  Its was a user sending out 1000's of mailshot emails each of 6Mb.  I have deleted them from the queue and hey presto all is back.  Problem solved.
0
philetaylorCommented:
Managing computer systems would be so much easier if it wasn't for users wouldn't it?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.