Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003 smtp queue filled with emails mostly from .tw domain

Posted on 2011-02-10
6
Medium Priority
?
689 Views
Last Modified: 2012-08-13
Our SMTP queue is filled with a ton of emails.  Most of them end in .tw; for example geo.tw.  The queue keeps growing and growing.  In SMTP server properties I unchecked   "Allow all computers which successfully authenticate to relay, regardless of the list above."  I also have "only the list below" selected.  After the changes I restarted the smtp service.  Still no luck.

I do not see email sent out from postmaster.  The sender is some random email address to some random destination email address.

I used network monitor to see where all this smtp traffic is coming from.  They were all a bunch of random public ip's; the ip is spoofed.

Any ideas????

Thanks!
0
Comment
Question by:wyrickits
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864891
if you do not actually recv mail fom the xxx.tw then block it completely
flussh your queue
and monitor it
0
 

Author Comment

by:wyrickits
ID: 34864939
okay,  We our mx record points to our SPAM filter through a 3rd party.  Block it there? Or on the Exchange server?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 2000 total points
ID: 34865192
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34865462
Thanks Shree.

You are an Authenticated relay and my article will help you to identify which account is being abused.  If you want a quick fix - disable Basic and Windows Authentication in your SMTP Virtual Server and restart the SMTP Service.  Then change ALL your passwords.

My blog should help you to tighten up security too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 

Author Comment

by:wyrickits
ID: 34866022
Shreedhar,

  You were right on.  We had an account that comprised.  We enabled logging then saw the 1708 error which led us to the account.

Thanks!

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866048
There is also a tool called AQADMCLI.exe that you can use to quickly zap the queues on your server rather than have to follow the link in my article.

Have a quick search for it and if you get stuck for the right commands - please ask.

Alan
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question