Solved

Mail queue filling up on Windows SBS 2003 server

Posted on 2010-08-18
10
702 Views
Last Modified: 2012-05-10
I have a Windows Small Business Server 2003 server with the mail queue filling up and depleting hard disk space on the server.  The exchange server logs grow to more than 1GB.  I have verified that the server is not an SMTP relay.  One thing I noticed is that in the ESM Queues, every Queue shows the sender as "Standardbank.co.za"<ibsupport@standardban.co.za".  How do I prevent this constant mass emailing? I have checked each PC and server on the network for viruses/spyware and confirmed that we are clean.  Does this sound like it is malware related?

Thanks,
Rick Ferreira
0
Comment
Question by:RickFerr
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 1

Expert Comment

by:schlueter
ID: 33463908
I think there will be some malware on your clients, because it's easy to find out if you have an open relay. If you want to just give me your IP and I'll check.
I'd suggest to find out which computer opens SMTP connections to your server (http://support.microsoft.com/kb/282497).

If you've not enabled anonymous mailing, you should be able to find out who sends out your mass mails (normally, a SBS sends statistics each day/week).
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33463949
here is what you might want to do:
http://support.microsoft.com/kb/886208
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33464079
What anti spam software are you using

This is definitely spam attack

Go to www.mxtoolbox.com and test if you are open relay

Thanks
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33464123
If the sender is a 3rd party on your server then you are an Authenticated Relay.
Please have a read of my article for what to do and how to identify the user / password that has been compromised, change the password, restart the SMTP service and then empty your queues.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html 
You will also need to get yourself off the Blacklists after you have solved the problem.
www.mxtoolbox.com/blacklists.aspx
You should then instigate Account Lockouts on your server to prevent accoutns from being brute forced and then force regular password changes to stop this sort of attack from happening again,
0
 
LVL 9

Expert Comment

by:Barry Gill
ID: 33464520
this is part of a phishing attack.
Phishers usually use botnets to deliver because the banks (like Standard Bank) pay investigators to track them down (I would send a mail to secure@standardbank.co.za and ask them what variants you should be looking for - not guaranteed response) - so you need to be looking for trojans/infections, not open relays.

standardban.co.za belongs to Standard Bank (checked it on the ZA registar, http://co.za/cgi-bin/whois.sh?Domain=standardban&Enter=Enter) and they usually have SPF in place
(Received-SPF:       fail (google.com: domain of ibsupport@standardbank.co.za does not designate 194.201.253.112 as permitted sender) client-ip=194.201.253.112;

Authentication-Results:       mx.google.com; spf=hardfail (google.com: domain of ibsupport@standardbank.co.za does not designate 194.201.253.112 as permitted sender) smtp.mail=ibsupport@standardbank.co.za)

So there is NO WAY they would have any application that would be trying to send this out.

Definitely an infection.
0
 
LVL 9

Expert Comment

by:Barry Gill
ID: 33464547
lol, just checked the spf on standardban.co.za and they have not set it... but their messages come from standardbanK.co.za usually - they must have purchased the domain to prevent phishers from using it... I have sent them a mail rectify.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33464913
You won't be an open relay - but you will be an authenticated relay.
I have seen this time and time again recently.  Probaly about 30 servers compromised in this way, including two clients and my own Exchange 2010 server!
My article will assist you in resolving the problem.
0
 

Author Comment

by:RickFerr
ID: 33503820
I have enabled Sender Filtering in ESM and added the sender's email address (ibsupport@standardbank.co.za) to the list of senders to block.  This seemed to resolve the problem for about a day and half.  The problem of the mail queue started up again.  But now when I look at the sender's email address in the message stuck in the mail queue they are "nlpostcode4@hotmail.com" and "info@ls.org".    I am getting a bunch of 7004 and 3015 events in app log.  Here are two samples:

7004
This is an SMTP protocol error log for virtual server ID 1, connection #16. The remote host "207.115.20.23", responded to the SMTP command "mail" with "553 5.3.0 flpd121 DNSBL:ATTRBL 521< 69.68.136.156 >_is_blocked.__For_information_see_http://att.net/blocks  ". The full command sent was "MAIL FROM:<nlpostcode4@hotmail.com>  ".  This will probably cause the connection to fail.

3015
A non-delivery report with a status code of 5.3.0 was generated for recipient rfc822;shurefyre@prodigy.net (Message-ID <34745SERVER013FB1Fx0000106e@ocfta.com>).  
Causes: Exchange mistakenly attempted mail delivery to an incorrect MTA route.  

If feel like if I add the two new email addresses to the sender filter list that I am just applying a temporary fix.  How do I get to the root of where the spam is starting.  Should I look at the PCs on the network again.  I have already gone through and cleaned any spyware/viruses detected.
Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33503975
Please download and install Vamsoft ORF 30 day trial from www.vamsoft.com and set the software to log mode only.

Then stop the smtp service on your server.

Load up the Vamsoft logs, start the SMTP service and refresh the logs (F5).  Check the logs for the first entry with a sender that is not a sender on your domain and then cross reference the date / time to your security event log and just before the exact time in the Vamsoft logs, you should see a corresponding login event.

Check the username in the login event and then change the password for that account.  Restart the smtp service again and then keep refreshing the Vamsoft logs.

Hopefully the problem will be gone, but if not, repeat until it does stop.
0
 

Author Closing Comment

by:RickFerr
ID: 33708817
Thank you. I did find that there was a user account named Admin that someone may have created at some point with a nonsecure password.  As soon as I reset the passwork on this account the bogus emails stopped being sent.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to filter result in PowerShell 10 58
SSL/TLS authentication on exchange server 2013 for application relay 1 28
Cannot view members of new distributionlist 2 31
outlook 6 39
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question