Solved

Exchange mail.que growing fast until transport stops.

Posted on 2010-09-10
17
6,789 Views
Last Modified: 2012-05-10
SBS2008 suddenly the transport service has been stopping because of backpressure. I noticed that the mail.que and trn.log grow exponentially at a rate of 500 MB in 5 minutes. Queue viewer shows nothing, console get queue shows no messages. I have renamed the queue to .old and restarted the transport service and things run fine for about 20 minutes then bam back again. All the tools for mailflow say things are great. i have disabled our antivirus, checked open relay. i am at a loss! Please help.
0
Comment
Question by:grizzjeeper
  • 9
  • 3
  • 2
  • +2
17 Comments
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Backpressure requires event ID's 15002 /15006 to be logged

start > run > eventvwr
check under windows logs\application

You can turn off backpressure monitoring
http://exchangepedia.com/2007/03/exchange-server-2007-how-to-turn-off-the-back-pressure-feature-on-transport-servers.html

Open the EdgeTransport.exe.config file
c:\Exchange Server\bin directory using notepad

Add the following key+value pair:
<add key=”EnableResourceMonitoring” value=”false” />
Save file

Restart the Microsoft Exchange Transport Service (MSExchangeTransport):


Explanation of back pressure here
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/understanding-back-pressure-feature-exchange-server-2007.html

Moving queue database (not required if you are disabling from the step above)
for your ref.
http://www.petri.co.il/back-pressure-moving-queue-database-in-exchange-2007.htm
0
 

Author Comment

by:grizzjeeper
Comment Utility
I have done all that my problem is the mail.que grows so fast regardless of backpressure transport stops. I need to find out why the que is growing at such an alarming rate yet reporting as no messages through the console. Once the que gets over a gig it gets unstable then once it reaches 2 gigs things get very slow.

Question is Why is the que growing and how can i stop it. I have message limits set also.
Why does queue viewer say nothing?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
looping email
virus

-identify the user causing it

Download and run Exmon
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en

After you find the user causing high cpu spikes
Disable mapi for that user

Set-Casmailbox –Identity <Username> –MapiEnabled $False

Check the guide here on how to troubleshoot this.
http://blogs.technet.com/b/mikelag/archive/2009/07/12/troubleshooting-store-log-database-growth-issues.aspx

I am out for the day.
have a good weekend.

post back here and i will check later tonight / tomorrow morning.
0
 

Author Comment

by:grizzjeeper
Comment Utility
Thanks,
i ran utility. the only ones I see with 100% cpu is "?" which the article says is a problem with the transport but doesnt really give my anything else to go on.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
The fact that this runs fine for 20 minutes after a reset tells me that this is indeed a malicious use situation. The reason attempts to display the queue fail is because it is growing faster than the tools used to view the queue can keep up.
Two possibilities:
1) You have an infected machine on your LAN spewing spam through your server. netstat and wireshark can be used to view open and active SMTP connections to your server. Find the offender and kill it.
2) The term "open relay" means that anybody can relay. So while you may not be an *OPEN* relay, your server can still be abused to relay spam if an account password has been discovered, cracked, or otherwise compromised. The server will pass any open-relay tests, because technically it isn't open. Authenticated relay is still allowed by default. Fixing this typf of situation requires resetting user passwords. While other steps could theoretically be taken, you really don't want a user's password out in the wild, even if you could disable authenticated relay. That account/password combo can still be used to abuse your server in other non-spam ways. It is best to solve the problme at the source(the compromised use account() and not try to work around the issue.
-Cliff
 
0
 

Author Comment

by:grizzjeeper
Comment Utility
Well correct me if I am wrong but the queue does display, just says zero messages. I can view queue through console says status ready message count 0. Through the toolbox same thing. Running trend Micro worry free on server and all pc's and nothing is showing there. I will try wireshark and see if anything there,

I can also use message tracker and see messsages flowing through and nothing large, nothing to coincide withe the size of the mail.que or trn.logs...
0
 
LVL 15

Expert Comment

by:Narayan_singh
Comment Utility
Check if you have an poisoned messsages... please delete them... stop tranposrt rename the q file and create new transport DB.
0
 

Author Comment

by:grizzjeeper
Comment Utility
No poison messages, Already renamed the que file, couple of times starts runs fine sumtimes for 5 minuttes sometimes for 20 then the mail.que file keeps climbing. I have not doen anything with the temp.db yet, wonder if I should also rename that as well.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:Narayan_singh
Comment Utility
you can try to rename the entire folder and create fresh db.
then run Exmon and see the hight rpc request from any perticular IP .. see if thats the internal.... shutdown that machine and see if thats the cause.
0
 

Author Comment

by:grizzjeeper
Comment Utility
I have already tried all that, see previous posts!

New info. Trend services were off while troubleshooting. Turned them back on and immediately went through 20 gigs of space on my c drive. Stopped Transport service and magically it reappeared. Tried again and treeview wont even see where its going to.. WTH is going on here..
0
 
LVL 15

Expert Comment

by:Narayan_singh
Comment Utility
Exclude exchange files from in trend.
0
 

Author Comment

by:grizzjeeper
Comment Utility
They are. Even with trend NOT running at all my Mail.que fil grows to a gig in anywhere between 10 and 30 minutes. Queue viewer only says this " Submission (green check) Delivery type Undefined and status ready.

If I stop transport service the only way it will start again is if i delete the queue (I delete the whole folder)

Exmon shows nothing except ? being at 100% cpu time...
0
 

Author Comment

by:grizzjeeper
Comment Utility
Seems like this thread here is very similar.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24709067.html

I have opened up the limites again. Server is the only machne on the network, FYI I can also disconnect the server from the network and the QUEUE BUILDS!
0
 

Author Comment

by:grizzjeeper
Comment Utility
Anyone else have any ideas?
Here is a recap.
Mail.que grows till transport service stops (4gb right now)
Queue viewer shows queue as ready and no messages but What is taking up the 4GB of space?
I delete the queue restart transport mail flows slowly until it gets so large transport stops.
This will happen even when disconnected from the network so Spam virus is not the reason
All exchange built in tools say everything is fine and there isnt any qued mail.
I have moved the que to a different drive.
0
 

Accepted Solution

by:
grizzjeeper earned 0 total points
Comment Utility
Turns out it was an odd DNS issues. Disables Ethernet controller, re-enabled and reran fix network after setting same ip address. ODD!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now