Solved

Exchange 2003 SBS queues filling up not open relay according to tests

Posted on 2010-09-05
7
580 Views
Last Modified: 2012-06-27
I am at a loss. I have an exchange 2003 box that has the queues filling up.. When i test for open relay it says i am not an open relay, mxtoolbox, but the ques are growing by the thousands. Any input would be greatly appreciated..
0
Comment
Question by:kn1564
7 Comments
 
LVL 22

Expert Comment

by:chakko
ID: 33607631
Maybe the email is coming from the LAN side?  
If the activity is high and constantly coming in then maybe try to cut off your internet connection on the Exchange server and see if it stops.  
You will know if it is an internal or external problem.
Turn on your SMTP logging and then check the log file for high activity and possible source.
In the queue viewer check some of the messages, are they SPAM or do they look like real email, are they error type messages/NDR?
0
 
LVL 1

Author Comment

by:kn1564
ID: 33607700
I have turned off ndr for ruling that out. I can see it coming in thru my firewall but there are too many to block at the ip level
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 33607753
SBS is configured to allow authenticated emails to relay regardless of IP address. My first guess is that you aren't an *open* relay, but that you are a relay due to a weak/cracked password.
Go into your connector and uncheck the box to allow authenticated connections to relay regardless of IP, and then make sure the IP addresses in the list are only for your client machines and the loopback connector for exchange itself (explicitly excluding the gateway is it should never be relaying.)
Will probably resolve it.
And then, force a password reset for all users and enforce complex password requirements. Because like it or not, if this fixes the issue, someone has a password and they can use OWA or RWW or other methods to get around your temporary fix, and can do far worse than mail relaying.
-Cliff
 
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 22

Expert Comment

by:chakko
ID: 33607763
Sounds like you're under some type of SPAM attack.
Which version of Exchange do you have?
I would try and configure a DNS Blacklist check and it will probably reject the connections for most of it.
Also, for more 'defense' you might try ORF from vamsoft.  You can install the fully functional 30 day trial version to get things under control.

For Exchange 2003:
http://support.microsoft.com/kb/823866




0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 167 total points
ID: 33608013
I'm with cgaliher - I have seen this numerous times recently and someone's useraccount and password will have been breached.
Please have a read through my article about this and for details on what to do about it.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
If you don't have many users - change ALL the passwords and then stop and start the SMTP service.  The latter part is essential as without stopping the service, even a changed password won't make any difference because the spammer will still be connected with the old pasword and will keep sending spam.
Don't be surprised to see you queus still growing even after changing passwords and restarting the SMTP service.  They will have flooded your server with so much mail, it cannot display it all at once, so will continue to add to the queues for a while.
0
 
LVL 4

Assisted Solution

by:griff4345
griff4345 earned 166 total points
ID: 33608287
Do you happen to show .TW extensions at then end of most of your queued emails? If so, you have definitely had at least one access to your network compromised, and your system is being used for notorious email movement by Taiwan users.

You need to immediately change the administrator and all other passwords. After that, you'll need to track down the source of the entry (which account(s)) were compromised and possibly disable them completely.

There are a couple more things but most of it is wait for the word to spread that you are no longer available as a usable source, and the queues will start to free up.

You might also investigate if your sending and receiving has been influenced (people are not receiving your emails). This could be because your outgoing queue is tuck below a huge TW queue.

While you're waiting for all this, check to see if you have been blacklisted.

Good Luck!
0
 
LVL 1

Author Closing Comment

by:kn1564
ID: 33633784
I disabled all user accounts and it stopped on the dot with a smtp restart. Reset all passwords. And am enabling them as needed this customer has an unusual dislike for deleting accounts for people that are gone. They just do a pw change. Also discovered they disabled complexity. Fixed that also and all is peachy. You guys rock :)
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now