Go Premium for a chance to win a PS4. Enter to Win


Exchange 2003 SBS queues filling up not open relay according to tests

Posted on 2010-09-05
Medium Priority
Last Modified: 2012-06-27
I am at a loss. I have an exchange 2003 box that has the queues filling up.. When i test for open relay it says i am not an open relay, mxtoolbox, but the ques are growing by the thousands. Any input would be greatly appreciated..
Question by:kn1564
LVL 22

Expert Comment

ID: 33607631
Maybe the email is coming from the LAN side?  
If the activity is high and constantly coming in then maybe try to cut off your internet connection on the Exchange server and see if it stops.  
You will know if it is an internal or external problem.
Turn on your SMTP logging and then check the log file for high activity and possible source.
In the queue viewer check some of the messages, are they SPAM or do they look like real email, are they error type messages/NDR?

Author Comment

ID: 33607700
I have turned off ndr for ruling that out. I can see it coming in thru my firewall but there are too many to block at the ip level
LVL 60

Accepted Solution

Cliff Galiher earned 668 total points
ID: 33607753
SBS is configured to allow authenticated emails to relay regardless of IP address. My first guess is that you aren't an *open* relay, but that you are a relay due to a weak/cracked password.
Go into your connector and uncheck the box to allow authenticated connections to relay regardless of IP, and then make sure the IP addresses in the list are only for your client machines and the loopback connector for exchange itself (explicitly excluding the gateway is it should never be relaying.)
Will probably resolve it.
And then, force a password reset for all users and enforce complex password requirements. Because like it or not, if this fixes the issue, someone has a password and they can use OWA or RWW or other methods to get around your temporary fix, and can do far worse than mail relaying.
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

LVL 22

Expert Comment

ID: 33607763
Sounds like you're under some type of SPAM attack.
Which version of Exchange do you have?
I would try and configure a DNS Blacklist check and it will probably reject the connections for most of it.
Also, for more 'defense' you might try ORF from vamsoft.  You can install the fully functional 30 day trial version to get things under control.

For Exchange 2003:

LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 668 total points
ID: 33608013
I'm with cgaliher - I have seen this numerous times recently and someone's useraccount and password will have been breached.
Please have a read through my article about this and for details on what to do about it.
If you don't have many users - change ALL the passwords and then stop and start the SMTP service.  The latter part is essential as without stopping the service, even a changed password won't make any difference because the spammer will still be connected with the old pasword and will keep sending spam.
Don't be surprised to see you queus still growing even after changing passwords and restarting the SMTP service.  They will have flooded your server with so much mail, it cannot display it all at once, so will continue to add to the queues for a while.

Assisted Solution

griff4345 earned 664 total points
ID: 33608287
Do you happen to show .TW extensions at then end of most of your queued emails? If so, you have definitely had at least one access to your network compromised, and your system is being used for notorious email movement by Taiwan users.

You need to immediately change the administrator and all other passwords. After that, you'll need to track down the source of the entry (which account(s)) were compromised and possibly disable them completely.

There are a couple more things but most of it is wait for the word to spread that you are no longer available as a usable source, and the queues will start to free up.

You might also investigate if your sending and receiving has been influenced (people are not receiving your emails). This could be because your outgoing queue is tuck below a huge TW queue.

While you're waiting for all this, check to see if you have been blacklisted.

Good Luck!

Author Closing Comment

ID: 33633784
I disabled all user accounts and it stopped on the dot with a smtp restart. Reset all passwords. And am enabling them as needed this customer has an unusual dislike for deleting accounts for people that are gone. They just do a pw change. Also discovered they disabled complexity. Fixed that also and all is peachy. You guys rock :)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question