Solved

Exchange 2003 Spam Issue

Posted on 2011-09-03
21
325 Views
Last Modified: 2012-05-12
We have a Exchange 2003 server that we believe was under an NDR attack.  We enabled Recipient Filtering and cleared the outbound smtp queue using a false smtp connector.  I have temporally disabled the inbound smtp traffic to our server and still have the false connector running but we still have a tremendous amount of traffic appearing in the "messages waiting to be delivered" queue.  I dont understand why messages are still appearing inthe queue even through I have shut down the inbound traffic to the server.  We did a scan of the server and found no viruses or malware.

Any suggestions would be appriciated.

thanks.
0
Comment
Question by:mcgowray
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
21 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478511
Even after disabling the inbound traffic, the server may still add mail to the queue because it is still processing what was received before you shut the traffic down.

Another explanation is if you have RPC over HTTPS users sending mail via your server using HTTPS traffic which you haven't blocked.

Try stopping inbound HTTPS for the time being and then empty the queues, which you can do quickly with aquadmcli.exe:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:mcgowray
ID: 36478516
We shutdown the inbound traffic over 12 hours ago, is it possible that there is that much traffic left over that has to be processed?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478517
Once your queues are 100% empty, open up either HTTPS or SMTP traffic and monitor activity for a while.

If all is well, open up the other traffic and monitor.

You could have an Outlook client using RPC over HTTPS that has an infection!!
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478518
Unlikely - shut down HTTPS too inbound.
0
 

Author Comment

by:mcgowray
ID: 36478523
How do I shut down https inbound?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478528
On your firewall.
0
 

Author Comment

by:mcgowray
ID: 36478538
HTTPS was only set on the firewall for remote management.  There are no other rules on the firewall pointing to the mail server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478542
Okay - so all traffic to the server is closed off?

Empty the queue using aquadmcli.ex - then monitor the outbound queues.

Do you have any computers turned on within your LAN?
0
 

Author Comment

by:mcgowray
ID: 36478545
OK.  There are a couple of systems still on but I am logged in remotely to the server using terminal services.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478553
Have you discovered why the blacklist sites were listing you?  Some will advise the reason e.g., a certain type of spambot which they should tell you the name of.
0
 

Author Comment

by:mcgowray
ID: 36478559
I checked and they stated that they received UCE's from us within a certain time period which flaged us.
0
 

Author Comment

by:mcgowray
ID: 36478564
I cleared the queues but mail continues to flow into the queues.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478566
Did you visit www.mxtoolbox.com/blacklists.aspx?

If not, please do, enter your IP, check and then click on a link to see why.  CBL usually lists the virus if there is one involved.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478569
Sounds like an internal infection.

Can you shut down a PC at a time in the office?
0
 

Author Comment

by:mcgowray
ID: 36478573
I will try to login to the stations and shut them down
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478578
If you shut one down, then monitor the queues after emptying, you should be able to work out which one is your problem one.  Hopefully you don't have more than one.
0
 

Author Comment

by:mcgowray
ID: 36478584
I will, so you dont think it is anything onthe server itself?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 36478588
It is unlikely, but not impossible.  If you shut down all PCs and still the queues grow, then is is very likely.
0
 

Author Comment

by:mcgowray
ID: 36478593
OK.  Thanks for the help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478597
No problems.  Keep me posted with your progress and good luck.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36478620
No need to close the question yet.  Wait until you know the answer first.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question