Solved

Exchange 2003 smtp queue filled with emails mostly from .tw domain

Posted on 2011-02-10
6
678 Views
Last Modified: 2012-08-13
Our SMTP queue is filled with a ton of emails.  Most of them end in .tw; for example geo.tw.  The queue keeps growing and growing.  In SMTP server properties I unchecked   "Allow all computers which successfully authenticate to relay, regardless of the list above."  I also have "only the list below" selected.  After the changes I restarted the smtp service.  Still no luck.

I do not see email sent out from postmaster.  The sender is some random email address to some random destination email address.

I used network monitor to see where all this smtp traffic is coming from.  They were all a bunch of random public ip's; the ip is spoofed.

Any ideas????

Thanks!
0
Comment
Question by:wyrickits
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864891
if you do not actually recv mail fom the xxx.tw then block it completely
flussh your queue
and monitor it
0
 

Author Comment

by:wyrickits
ID: 34864939
okay,  We our mx record points to our SPAM filter through a 3rd party.  Block it there? Or on the Exchange server?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 500 total points
ID: 34865192
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34865462
Thanks Shree.

You are an Authenticated relay and my article will help you to identify which account is being abused.  If you want a quick fix - disable Basic and Windows Authentication in your SMTP Virtual Server and restart the SMTP Service.  Then change ALL your passwords.

My blog should help you to tighten up security too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 

Author Comment

by:wyrickits
ID: 34866022
Shreedhar,

  You were right on.  We had an account that comprised.  We enabled logging then saw the 1708 error which led us to the account.

Thanks!

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866048
There is also a tool called AQADMCLI.exe that you can use to quickly zap the queues on your server rather than have to follow the link in my article.

Have a quick search for it and if you get stuck for the right commands - please ask.

Alan
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
exchange 6 32
Powershell to track mobile activity 2 40
Edge Transport Server Slow Responses 1 10
EX2013 - track email 2 8
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now