• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

Exchange 2003 Spam Issue

We have a Exchange 2003 server that we believe was under an NDR attack.  We enabled Recipient Filtering and cleared the outbound smtp queue using a false smtp connector.  I have temporally disabled the inbound smtp traffic to our server and still have the false connector running but we still have a tremendous amount of traffic appearing in the "messages waiting to be delivered" queue.  I dont understand why messages are still appearing inthe queue even through I have shut down the inbound traffic to the server.  We did a scan of the server and found no viruses or malware.

Any suggestions would be appriciated.

thanks.
0
mcgowray
Asked:
mcgowray
  • 12
  • 9
1 Solution
 
Alan HardistyCommented:
Even after disabling the inbound traffic, the server may still add mail to the queue because it is still processing what was received before you shut the traffic down.

Another explanation is if you have RPC over HTTPS users sending mail via your server using HTTPS traffic which you haven't blocked.

Try stopping inbound HTTPS for the time being and then empty the queues, which you can do quickly with aquadmcli.exe:

http://community.spiceworks.com/how_to/show/267
0
 
mcgowrayAuthor Commented:
We shutdown the inbound traffic over 12 hours ago, is it possible that there is that much traffic left over that has to be processed?
0
 
Alan HardistyCommented:
Once your queues are 100% empty, open up either HTTPS or SMTP traffic and monitor activity for a while.

If all is well, open up the other traffic and monitor.

You could have an Outlook client using RPC over HTTPS that has an infection!!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Alan HardistyCommented:
Unlikely - shut down HTTPS too inbound.
0
 
mcgowrayAuthor Commented:
How do I shut down https inbound?
0
 
Alan HardistyCommented:
On your firewall.
0
 
mcgowrayAuthor Commented:
HTTPS was only set on the firewall for remote management.  There are no other rules on the firewall pointing to the mail server.
0
 
Alan HardistyCommented:
Okay - so all traffic to the server is closed off?

Empty the queue using aquadmcli.ex - then monitor the outbound queues.

Do you have any computers turned on within your LAN?
0
 
mcgowrayAuthor Commented:
OK.  There are a couple of systems still on but I am logged in remotely to the server using terminal services.
0
 
Alan HardistyCommented:
Have you discovered why the blacklist sites were listing you?  Some will advise the reason e.g., a certain type of spambot which they should tell you the name of.
0
 
mcgowrayAuthor Commented:
I checked and they stated that they received UCE's from us within a certain time period which flaged us.
0
 
mcgowrayAuthor Commented:
I cleared the queues but mail continues to flow into the queues.
0
 
Alan HardistyCommented:
Did you visit www.mxtoolbox.com/blacklists.aspx?

If not, please do, enter your IP, check and then click on a link to see why.  CBL usually lists the virus if there is one involved.
0
 
Alan HardistyCommented:
Sounds like an internal infection.

Can you shut down a PC at a time in the office?
0
 
mcgowrayAuthor Commented:
I will try to login to the stations and shut them down
0
 
Alan HardistyCommented:
If you shut one down, then monitor the queues after emptying, you should be able to work out which one is your problem one.  Hopefully you don't have more than one.
0
 
mcgowrayAuthor Commented:
I will, so you dont think it is anything onthe server itself?
0
 
Alan HardistyCommented:
It is unlikely, but not impossible.  If you shut down all PCs and still the queues grow, then is is very likely.
0
 
mcgowrayAuthor Commented:
OK.  Thanks for the help.
0
 
Alan HardistyCommented:
No problems.  Keep me posted with your progress and good luck.

Alan
0
 
Alan HardistyCommented:
No need to close the question yet.  Wait until you know the answer first.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now