Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2003 smtp queue filled with emails mostly from .tw domain

Posted on 2011-02-10
6
Medium Priority
?
693 Views
Last Modified: 2012-08-13
Our SMTP queue is filled with a ton of emails.  Most of them end in .tw; for example geo.tw.  The queue keeps growing and growing.  In SMTP server properties I unchecked   "Allow all computers which successfully authenticate to relay, regardless of the list above."  I also have "only the list below" selected.  After the changes I restarted the smtp service.  Still no luck.

I do not see email sent out from postmaster.  The sender is some random email address to some random destination email address.

I used network monitor to see where all this smtp traffic is coming from.  They were all a bunch of random public ip's; the ip is spoofed.

Any ideas????

Thanks!
0
Comment
Question by:wyrickits
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864891
if you do not actually recv mail fom the xxx.tw then block it completely
flussh your queue
and monitor it
0
 

Author Comment

by:wyrickits
ID: 34864939
okay,  We our mx record points to our SPAM filter through a 3rd party.  Block it there? Or on the Exchange server?
0
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 2000 total points
ID: 34865192
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34865462
Thanks Shree.

You are an Authenticated relay and my article will help you to identify which account is being abused.  If you want a quick fix - disable Basic and Windows Authentication in your SMTP Virtual Server and restart the SMTP Service.  Then change ALL your passwords.

My blog should help you to tighten up security too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 

Author Comment

by:wyrickits
ID: 34866022
Shreedhar,

  You were right on.  We had an account that comprised.  We enabled logging then saw the 1708 error which led us to the account.

Thanks!

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866048
There is also a tool called AQADMCLI.exe that you can use to quickly zap the queues on your server rather than have to follow the link in my article.

Have a quick search for it and if you get stuck for the right commands - please ask.

Alan
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month15 days, 5 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question