Solved

Exchange 2003 smtp queue filled with emails mostly from .tw domain

Posted on 2011-02-10
6
683 Views
Last Modified: 2012-08-13
Our SMTP queue is filled with a ton of emails.  Most of them end in .tw; for example geo.tw.  The queue keeps growing and growing.  In SMTP server properties I unchecked   "Allow all computers which successfully authenticate to relay, regardless of the list above."  I also have "only the list below" selected.  After the changes I restarted the smtp service.  Still no luck.

I do not see email sent out from postmaster.  The sender is some random email address to some random destination email address.

I used network monitor to see where all this smtp traffic is coming from.  They were all a bunch of random public ip's; the ip is spoofed.

Any ideas????

Thanks!
0
Comment
Question by:wyrickits
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864891
if you do not actually recv mail fom the xxx.tw then block it completely
flussh your queue
and monitor it
0
 

Author Comment

by:wyrickits
ID: 34864939
okay,  We our mx record points to our SPAM filter through a 3rd party.  Block it there? Or on the Exchange server?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 500 total points
ID: 34865192
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34865462
Thanks Shree.

You are an Authenticated relay and my article will help you to identify which account is being abused.  If you want a quick fix - disable Basic and Windows Authentication in your SMTP Virtual Server and restart the SMTP Service.  Then change ALL your passwords.

My blog should help you to tighten up security too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 

Author Comment

by:wyrickits
ID: 34866022
Shreedhar,

  You were right on.  We had an account that comprised.  We enabled logging then saw the 1708 error which led us to the account.

Thanks!

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866048
There is also a tool called AQADMCLI.exe that you can use to quickly zap the queues on your server rather than have to follow the link in my article.

Have a quick search for it and if you get stuck for the right commands - please ask.

Alan
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question