SBS03 Exchange SMTP Queue continues to fill with spam

Hi, I've followed MS's instructions to prevent Exchange relaying email and have confirmed that the domain isn't acting as an open Relay but the smtp connector queue (which is now pointing at 99.99.99.99) is still increasing in size although i made the changes over 5 hours ago, in my experience with Exchange acting as mail relay it should have levelled of at this point, any suggestions as to what else i should look at please?  is it possible that there's that much spam still processing even after 5 hours?
tokeeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dmessmanCommented:
are you saying that were an open relay and no longer are?  And these are outbound messages?  Or are these spam messages sent to your users with illegitamite senders and they are in a state of retry trying to deliver a delivery failure.
0
Alan HardistyCo-OwnerCommented:
Please have a read of my article which should help you out (unless you have already discovered it!):
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Make sure you don't have 127.0.0.1 as an allowed relay in your SMTP Virtual Server Relay settings.
You also might want to consider installing a trial of Vamsoft ORF so that you can see what is coming in more clearly, what time the spam is arriving and from this info, you can look at your Security logs and find the account that is being abused, which I am sure is the problem you are facing.  (www.vamsoft.com).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tokeeAuthor Commented:
thanks for your prompt responses - alan i'll check the link and will come back, 127.0.0.1 was an entry but i removed it whilst i was locking down the server...

dmessman- they're outgoing spam messages and don't appear to be delivery failures.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Alan HardistyCo-OwnerCommented:
Have you got connections in your SMTP Current Connections under your default SMTP Virtual Server that are sticking around for a long time?
Are the IP Addresses of those connections coming from blacklisted IP Addresses?  www.mxtoolbox.com/blacklists.aspx
0
Nenad RajsicCommented:
relaying might not be your problem. If you have a machine on your network that successfully authenticates but is infected you might also be under a "internal" spam attack.

Stop all outbound messages: if most of your messages show the same senders address (example user123@123.com) then use AQADMCLI to remove all the messages from your queue:
Download AQADMCLI from here: ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/

if you type delmsg flags=SENDER,sender=user123@123.com, all messages sent by user123@123.com will be flagged for deletion.

Great tool and it will save you a lot of time

also disable pop3 for users that don't need it.
When you sort out your queues enable smtp again and monitor it closely - I would enable full exchange logging for a few days.

The danger is that your IP will be blacklisted everywhere if you were spamming for too long without noticing
0
tokeeAuthor Commented:
OK, the spam is origniating from unknown names (not using internal authenticated email addresses) the senders email address are 30fjn3rjn@81.21.31.40 (the ip address being our static public ip address..) and i'm seeing a number of connections from external ip addresses in current connections.  i've double checked that we're not an open relay.
try vukovarcan's suggestion at present..
0
Alan HardistyCo-OwnerCommented:
You may not be an open relay, but you are more likely to be an authenticated relay, especially as the messages are not coming from internal users or postmaster.
How many users do you have on your server - if you only have a few - it would be prudent to change ALL your passwords, otherwise, turn up the logging as per my article and monitor the event logs to see which user account is being abused and then change the password to that account.
Once you have changed ALL password or just the one password, restart the Simple Mail Transfer Protocol (SMTP) Service.
0
tokeeAuthor Commented:
thanks for all your responses, i've resolved the problem by using a combination of your comments although alanhardistry's initial response and article on msexch queues proved the most helpful.  i've cleared all queues and have locked the server down via our firewall to only accept incoming data on port 25 from a specific (i.e. our spam filtering server) external ip address, this has resolved the problem and all is now back to normal.  thanks again.  tony
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.