Solved

Exchange 2003 smtp queue filled with emails mostly from .tw domain

Posted on 2011-02-10
6
680 Views
Last Modified: 2012-08-13
Our SMTP queue is filled with a ton of emails.  Most of them end in .tw; for example geo.tw.  The queue keeps growing and growing.  In SMTP server properties I unchecked   "Allow all computers which successfully authenticate to relay, regardless of the list above."  I also have "only the list below" selected.  After the changes I restarted the smtp service.  Still no luck.

I do not see email sent out from postmaster.  The sender is some random email address to some random destination email address.

I used network monitor to see where all this smtp traffic is coming from.  They were all a bunch of random public ip's; the ip is spoofed.

Any ideas????

Thanks!
0
Comment
Question by:wyrickits
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864891
if you do not actually recv mail fom the xxx.tw then block it completely
flussh your queue
and monitor it
0
 

Author Comment

by:wyrickits
ID: 34864939
okay,  We our mx record points to our SPAM filter through a 3rd party.  Block it there? Or on the Exchange server?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 500 total points
ID: 34865192
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34865462
Thanks Shree.

You are an Authenticated relay and my article will help you to identify which account is being abused.  If you want a quick fix - disable Basic and Windows Authentication in your SMTP Virtual Server and restart the SMTP Service.  Then change ALL your passwords.

My blog should help you to tighten up security too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 

Author Comment

by:wyrickits
ID: 34866022
Shreedhar,

  You were right on.  We had an account that comprised.  We enabled logging then saw the 1708 error which led us to the account.

Thanks!

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866048
There is also a tool called AQADMCLI.exe that you can use to quickly zap the queues on your server rather than have to follow the link in my article.

Have a quick search for it and if you get stuck for the right commands - please ask.

Alan
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now