Solved

Exchange 2003 SBS queues filling up not open relay according to tests

Posted on 2010-09-05
7
578 Views
Last Modified: 2012-06-27
I am at a loss. I have an exchange 2003 box that has the queues filling up.. When i test for open relay it says i am not an open relay, mxtoolbox, but the ques are growing by the thousands. Any input would be greatly appreciated..
0
Comment
Question by:kn1564
7 Comments
 
LVL 22

Expert Comment

by:chakko
ID: 33607631
Maybe the email is coming from the LAN side?  
If the activity is high and constantly coming in then maybe try to cut off your internet connection on the Exchange server and see if it stops.  
You will know if it is an internal or external problem.
Turn on your SMTP logging and then check the log file for high activity and possible source.
In the queue viewer check some of the messages, are they SPAM or do they look like real email, are they error type messages/NDR?
0
 
LVL 1

Author Comment

by:kn1564
ID: 33607700
I have turned off ndr for ruling that out. I can see it coming in thru my firewall but there are too many to block at the ip level
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 33607753
SBS is configured to allow authenticated emails to relay regardless of IP address. My first guess is that you aren't an *open* relay, but that you are a relay due to a weak/cracked password.
Go into your connector and uncheck the box to allow authenticated connections to relay regardless of IP, and then make sure the IP addresses in the list are only for your client machines and the loopback connector for exchange itself (explicitly excluding the gateway is it should never be relaying.)
Will probably resolve it.
And then, force a password reset for all users and enforce complex password requirements. Because like it or not, if this fixes the issue, someone has a password and they can use OWA or RWW or other methods to get around your temporary fix, and can do far worse than mail relaying.
-Cliff
 
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 22

Expert Comment

by:chakko
ID: 33607763
Sounds like you're under some type of SPAM attack.
Which version of Exchange do you have?
I would try and configure a DNS Blacklist check and it will probably reject the connections for most of it.
Also, for more 'defense' you might try ORF from vamsoft.  You can install the fully functional 30 day trial version to get things under control.

For Exchange 2003:
http://support.microsoft.com/kb/823866




0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 167 total points
ID: 33608013
I'm with cgaliher - I have seen this numerous times recently and someone's useraccount and password will have been breached.
Please have a read through my article about this and for details on what to do about it.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
If you don't have many users - change ALL the passwords and then stop and start the SMTP service.  The latter part is essential as without stopping the service, even a changed password won't make any difference because the spammer will still be connected with the old pasword and will keep sending spam.
Don't be surprised to see you queus still growing even after changing passwords and restarting the SMTP service.  They will have flooded your server with so much mail, it cannot display it all at once, so will continue to add to the queues for a while.
0
 
LVL 4

Assisted Solution

by:griff4345
griff4345 earned 166 total points
ID: 33608287
Do you happen to show .TW extensions at then end of most of your queued emails? If so, you have definitely had at least one access to your network compromised, and your system is being used for notorious email movement by Taiwan users.

You need to immediately change the administrator and all other passwords. After that, you'll need to track down the source of the entry (which account(s)) were compromised and possibly disable them completely.

There are a couple more things but most of it is wait for the word to spread that you are no longer available as a usable source, and the queues will start to free up.

You might also investigate if your sending and receiving has been influenced (people are not receiving your emails). This could be because your outgoing queue is tuck below a huge TW queue.

While you're waiting for all this, check to see if you have been blacklisted.

Good Luck!
0
 
LVL 1

Author Closing Comment

by:kn1564
ID: 33633784
I disabled all user accounts and it stopped on the dot with a smtp restart. Reset all passwords. And am enabling them as needed this customer has an unusual dislike for deleting accounts for people that are gone. They just do a pw change. Also discovered they disabled complexity. Fixed that also and all is peachy. You guys rock :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now