?
Solved

Exchange 2003 SP2 running on SBS queues flooded with spam

Posted on 2011-02-28
14
Medium Priority
?
764 Views
Last Modified: 2012-05-11
One of my clients is running SBS 2003 with Exchange 2003 SP2.  We've been having a problem for days with the queues flooded with thousands of SPAM messages.  First thing we checked was for an open relay, which the server is not.  I followed some of the tips mentioned in other EE posts, but so far I haven't been able to get to the bottom of this.  The server has been cleaned of any virus infections, we unplugged all of the workstations and left only the server on over the weekend, and Saturday morning there were thousands of messages queued.  I disabled all of the user accounts in case one of them was hacked, changed the administrator password, etc... but the queues qould still build up.  In the SMTP virtual server properties I disabled anonymous authentication, which did stop the spam, but users were unable to receive email.  We tested from our Exchange server and the messages would sit in our queue.  I enabled logging on the SMTP virtual server, but that didn't give us any information.  We have spent hours and hours trying to figure this out with no promising results.  I am at my wits end here, and I would appreciate any help I could get.  Any ideas?  I keep disabling SMTP and purging the queue folder, force closing connections, etc...  
Thanks!
0
Comment
Question by:szagoria
  • 7
  • 4
  • 3
14 Comments
 
LVL 2

Expert Comment

by:8ubterfug3
ID: 34998427
What is your email domain if you don't mind me asking?
0
 
LVL 1

Author Comment

by:szagoria
ID: 34998466
stiecohen.com
0
 
LVL 2

Expert Comment

by:8ubterfug3
ID: 34998472
Right click on your Default SMTP Virtual Server in System Manager. Go to the Access tab then click on Relay. What options are checked in there?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:szagoria
ID: 34998499
For relay, "only in ithe list below", and Allow all regardless is unchecked.  I have left the list blank and put the local IP of the server in the list, neither did anything for the spam problem.
0
 
LVL 2

Expert Comment

by:8ubterfug3
ID: 34998571
I don't have much experience with anything other than SMTP in Exchange but is it possible they are using POP or IMAP to spam? How is the authentication configured on those?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34998621
Please have a read of my article - which might reveal that you are an authenticated relay:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

If you are - the info to resolve the issue is also within my article.

Alan
0
 
LVL 1

Author Comment

by:szagoria
ID: 34998642
At this point, I'm thinking anything is possible.  I've disabled POP and IMAP virtual servers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34998682
You are most likely an Authenticated Relay - please check my article, increase the logging if the messages are not from Postmaster@yourdomain.com and then identify the account that is being abused.

Alan
0
 
LVL 1

Author Comment

by:szagoria
ID: 34998769
Alan, I tried that yesterday (I read your article yesterday morning).  I didn't see anything trying to authenticate, si when the logs didn't clue me in, I just started diabling user accounts, changed the admin password, but the queues were still clogged.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34998777
Okay - who is the sender of the emails?  Postmaster or random users not on your domain?
0
 
LVL 1

Author Comment

by:szagoria
ID: 34998972
There are a few postmasters, but 99% are random users.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34999047
Okay - do yo uhave any users externally sending mail to your server via SMTP?

If you don't please disable Basic and Integrated Windows Authentication from your SMTP Virtual Server and then restart the SMTP Service.

Does that stop the flood of spam?

Please also use aqadmcli.exe to zap the current queues:

ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

To delete messages from a specific domain type the following into a command prompt:
aqadmcli delmsg flags=sender,sender=sender@domain.com

Change the sender@domain.com to match what is in your queues
0
 
LVL 1

Accepted Solution

by:
szagoria earned 0 total points
ID: 35150565
I ended up recreating the SMTP virtual server, connectors and the queues went away.  Odd, but solved.
0
 
LVL 1

Author Closing Comment

by:szagoria
ID: 35178809
Recreating everything solved the issue.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question