Link to home
Start Free TrialLog in
Avatar of itsystemsllc
itsystemsllcFlag for United States of America

asked on

IIS SMTP server queue filling up and allowing rogue or unauthorized connections

My overall configuration is this: 2 Windows Server 2003 systems.  Server #1 runs Exchange 2003 which receives mail for the entire domain and also sends mail for users in the office who connect to the server with Outlook in Exchange mode.  Server #2 is just Server 2003 with SMTP installed in IIS.  This server is for sending only, it is used by field workers who connect via Outlook with POP3 (to server #1) and SMTP to server #2.  

On server #2 the SMTP settings are as follows: On the Access tab of the SMTP server Properties under Authentication the server is setup to require basic authentication.  Under Relay it is set to relay for 'Only the list below' (the list is blank) and then it is set to 'Allow all computers which successfully authenticate to relay, regardless of the list above.'

A barracuda protects all incoming mail.

The server has been setup this way for a LONG time.  In the last month I have been having problems with the smtp queue folder filling up, I currently have 60,000 emails in the queue.  I can see connections under 'Current Sessions' in IIS from IPs in China, Nigeria, Russia and a few others.  All of the connections show in the following format:
User           34 seconds

I don't have a user called 'User.'  Usually with legit connection, the user portion is either the user's actual computer name or the local IP they are using.

Any ideas how to make this stop?  I forced all of the field users to change their passwords and that seemed to work for a day and half or so.  I only forced the field users because the only server with issues was #2 which only serves the field workers.  My thought is that a user's computer is infected with something that is stealing the password so the password change only worked for a short while.  I have encouraged them all to scan their computers but I have no direct control to force that to happen.

I have used various tools on the Internet to check my system for an open relay or other issue but everything seems to be OK.  At one point I assumed that this was an NDR attack because most outgoing messages were from  But now the queue has emails from external domains to other external domains.  Our domain is not part of the process at all!
Avatar of jhill777

Looks like a proxy server for anonymity.
I would change ports from 25 to something else by setting up  two virtual servers: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on on a non-standard port number.
Avatar of itsystemsllc


I do have ports 25 and 587 enabled on this SMTP server.  I did that because the out of office users were running into issues with SBC, Comcast etc... blocking port 25 traffic for their residential customers.  We offer port 587 as an alternate.  I don't know for sure which port is being used for this spam activity.  Are you suggesting I disable 25 and only use 587?

Please explain your suggestion a little more.  Thanks.
Avatar of Alan Hardisty
It sounds like you have an authenticated relay problem going on.
One of your user accounts and passwords has been compromised.
Depending on the number of users, you may want to force a password change for all accounts, restart the SMTP Service and then the problem should calm down.
You will need to empty the queues and then get yourself of the blacklists that you will inevitably be on (
I did force a password change and the problem stopped briefly.  But it is back again so I think that the new password or passwords were stolen again.  Not sure how to stop that from happening!  It must be a malware or virus on someone's computer but these are personal computers that I have no control over!
Avatar of jhill777

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Did you restart the SMTP Service?  If not - then please stop the SMTP service, then reset the passwords again and then restart the SMTP service.
If that doesn't resolve it - then there are nastier issues afoot!
Sounds good, i actually can see that the rouge connections are all using port 25 from firewall logs.  So the real question is why is is this happening.  It seems to me that I have all the checks in place to keep myself from being an open relay.  At some point I would imagine this happening again even with 587 if my settings are allowing open relay.
You can check to see if you are an open relay on this site: 
I think I passed all the tests from  All of them said 'client was not authenticated.'  I have also checked multiple times from as well and they say i am not an open relay either.  If I am not an open relay, and I don't think I am, I don't understand how this is happening.  The outgoing server is if any of you want to test for giggles.
Are you logging inbound SMTP access on your firewall?
You may see a lot of logs from a particular IP that you could block until you get a handle on the problem.
Yes, i am logging.  I have looked up a ton of IPs and found them to be from China, Nigeria, Russia, Poland and more.  I used to lookup the IP's.  The nice thing about that site is that it gives  you the whole network range (so you don't have to calculate it yourself!) and then I can make a block rule for that whole range.  I have a sonicwall firewall attached to my DSL but that is so cumbersome. To help troubleshoot this issue I installed an Untangle firewall in bridge mode between the sonicwall and the LAN.  This has given me much better information and control!

I will be implementing the port 25 block and I will post back later, tomorrow or Wednesday with results.

Does anyone have any tips or software that can help me identify what account is being used to authenticate on my smtp server?  Windows smtp logging doesn't show me that information.
Download the 30-day trial of Vamsoft ORF - http://www.vamsoft.comIt has excellent logging capabilites (not to mention anti-spam capabilities) and you can use the logs to see when the sender is from the spammer and then cross reference that to the Security Event Log and that should pinpoint an account.
I'm heading to bed in a short while but can assist with Vamsoft logs / filtering if need be.

Did you check this too?
In Exchange System Manager (ESM), right-click the SMTP connector, and then click Properties.
Click the Address Space tab, and then click to clear the Allow messages to be relayed to these Domains check box.
Click OK, and then restart the SMTP service
The problem SMTP server is not the Exchange SMTP server, just the basic IIS SMTP so I am not sure that your suggestion would help, correct me if I am wrong.

Also, the closure of port 25 seems to have stopped my bleeding.  I turned it off and then cleaned out the queue (70,000 messages) last night.  This morning there are no new messages filling up the queue folder.  Thank you to Jhill777 for that suggestion!
Although I was never able to identify the compromised account, I did stop the spam traffic by closing the port as suggested.