Exchange 2003 SBS queues filling up not open relay according to tests

Posted on 2010-09-05
Medium Priority
Last Modified: 2012-06-27
I am at a loss. I have an exchange 2003 box that has the queues filling up.. When i test for open relay it says i am not an open relay, mxtoolbox, but the ques are growing by the thousands. Any input would be greatly appreciated..
Question by:kn1564
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Expert Comment

ID: 33607631
Maybe the email is coming from the LAN side?  
If the activity is high and constantly coming in then maybe try to cut off your internet connection on the Exchange server and see if it stops.  
You will know if it is an internal or external problem.
Turn on your SMTP logging and then check the log file for high activity and possible source.
In the queue viewer check some of the messages, are they SPAM or do they look like real email, are they error type messages/NDR?

Author Comment

ID: 33607700
I have turned off ndr for ruling that out. I can see it coming in thru my firewall but there are too many to block at the ip level
LVL 59

Accepted Solution

Cliff Galiher earned 668 total points
ID: 33607753
SBS is configured to allow authenticated emails to relay regardless of IP address. My first guess is that you aren't an *open* relay, but that you are a relay due to a weak/cracked password.
Go into your connector and uncheck the box to allow authenticated connections to relay regardless of IP, and then make sure the IP addresses in the list are only for your client machines and the loopback connector for exchange itself (explicitly excluding the gateway is it should never be relaying.)
Will probably resolve it.
And then, force a password reset for all users and enforce complex password requirements. Because like it or not, if this fixes the issue, someone has a password and they can use OWA or RWW or other methods to get around your temporary fix, and can do far worse than mail relaying.
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 22

Expert Comment

ID: 33607763
Sounds like you're under some type of SPAM attack.
Which version of Exchange do you have?
I would try and configure a DNS Blacklist check and it will probably reject the connections for most of it.
Also, for more 'defense' you might try ORF from vamsoft.  You can install the fully functional 30 day trial version to get things under control.

For Exchange 2003:

LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 668 total points
ID: 33608013
I'm with cgaliher - I have seen this numerous times recently and someone's useraccount and password will have been breached.
Please have a read through my article about this and for details on what to do about it.
If you don't have many users - change ALL the passwords and then stop and start the SMTP service.  The latter part is essential as without stopping the service, even a changed password won't make any difference because the spammer will still be connected with the old pasword and will keep sending spam.
Don't be surprised to see you queus still growing even after changing passwords and restarting the SMTP service.  They will have flooded your server with so much mail, it cannot display it all at once, so will continue to add to the queues for a while.

Assisted Solution

griff4345 earned 664 total points
ID: 33608287
Do you happen to show .TW extensions at then end of most of your queued emails? If so, you have definitely had at least one access to your network compromised, and your system is being used for notorious email movement by Taiwan users.

You need to immediately change the administrator and all other passwords. After that, you'll need to track down the source of the entry (which account(s)) were compromised and possibly disable them completely.

There are a couple more things but most of it is wait for the word to spread that you are no longer available as a usable source, and the queues will start to free up.

You might also investigate if your sending and receiving has been influenced (people are not receiving your emails). This could be because your outgoing queue is tuck below a huge TW queue.

While you're waiting for all this, check to see if you have been blacklisted.

Good Luck!

Author Closing Comment

ID: 33633784
I disabled all user accounts and it stopped on the dot with a smtp restart. Reset all passwords. And am enabling them as needed this customer has an unusual dislike for deleting accounts for people that are gone. They just do a pw change. Also discovered they disabled complexity. Fixed that also and all is peachy. You guys rock :)

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question