Exchange 2003 SBS queues filling up not open relay according to tests

I am at a loss. I have an exchange 2003 box that has the queues filling up.. When i test for open relay it says i am not an open relay, mxtoolbox, but the ques are growing by the thousands. Any input would be greatly appreciated..
LVL 1
kn1564Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Cliff GaliherConnect With a Mentor Commented:
SBS is configured to allow authenticated emails to relay regardless of IP address. My first guess is that you aren't an *open* relay, but that you are a relay due to a weak/cracked password.
Go into your connector and uncheck the box to allow authenticated connections to relay regardless of IP, and then make sure the IP addresses in the list are only for your client machines and the loopback connector for exchange itself (explicitly excluding the gateway is it should never be relaying.)
Will probably resolve it.
And then, force a password reset for all users and enforce complex password requirements. Because like it or not, if this fixes the issue, someone has a password and they can use OWA or RWW or other methods to get around your temporary fix, and can do far worse than mail relaying.
-Cliff
 
0
 
chakkoCommented:
Maybe the email is coming from the LAN side?  
If the activity is high and constantly coming in then maybe try to cut off your internet connection on the Exchange server and see if it stops.  
You will know if it is an internal or external problem.
Turn on your SMTP logging and then check the log file for high activity and possible source.
In the queue viewer check some of the messages, are they SPAM or do they look like real email, are they error type messages/NDR?
0
 
kn1564Author Commented:
I have turned off ndr for ruling that out. I can see it coming in thru my firewall but there are too many to block at the ip level
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
chakkoCommented:
Sounds like you're under some type of SPAM attack.
Which version of Exchange do you have?
I would try and configure a DNS Blacklist check and it will probably reject the connections for most of it.
Also, for more 'defense' you might try ORF from vamsoft.  You can install the fully functional 30 day trial version to get things under control.

For Exchange 2003:
http://support.microsoft.com/kb/823866




0
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
I'm with cgaliher - I have seen this numerous times recently and someone's useraccount and password will have been breached.
Please have a read through my article about this and for details on what to do about it.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
If you don't have many users - change ALL the passwords and then stop and start the SMTP service.  The latter part is essential as without stopping the service, even a changed password won't make any difference because the spammer will still be connected with the old pasword and will keep sending spam.
Don't be surprised to see you queus still growing even after changing passwords and restarting the SMTP service.  They will have flooded your server with so much mail, it cannot display it all at once, so will continue to add to the queues for a while.
0
 
griff4345Connect With a Mentor Commented:
Do you happen to show .TW extensions at then end of most of your queued emails? If so, you have definitely had at least one access to your network compromised, and your system is being used for notorious email movement by Taiwan users.

You need to immediately change the administrator and all other passwords. After that, you'll need to track down the source of the entry (which account(s)) were compromised and possibly disable them completely.

There are a couple more things but most of it is wait for the word to spread that you are no longer available as a usable source, and the queues will start to free up.

You might also investigate if your sending and receiving has been influenced (people are not receiving your emails). This could be because your outgoing queue is tuck below a huge TW queue.

While you're waiting for all this, check to see if you have been blacklisted.

Good Luck!
0
 
kn1564Author Commented:
I disabled all user accounts and it stopped on the dot with a smtp restart. Reset all passwords. And am enabling them as needed this customer has an unusual dislike for deleting accounts for people that are gone. They just do a pw change. Also discovered they disabled complexity. Fixed that also and all is peachy. You guys rock :)
0
All Courses

From novice to tech pro — start learning today.