[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 650
  • Last Modified:

Exchange 2003 queue getting full

Hi guys,

I have an Exchange 2003 server system which has been working fine but recently we get lots of spams taking advantage of our server just like an open relay.

- I've tested open relay from public but it is not an open relay.
- It only happened at certain hours (usually from midnight till 9am)

We have an AD/ISA server up front, and then an Exchange server inside. IPs as followed
- AD/ISA: 192.168.1.100 (external), 172.38.6.1 (internal)
- Exchange: 172.38.6.2

ISA is publishing all the necessary rules from Exchange server.
The "Default SMTP Virtual Server" from Exchange is "Allowing All computers which sucessfully authenticate to relay".
Right now the spams come in too often and it is taking all the smarthost quota that we have.
In Application Logs, I typically get this message:
-------------
This is an SMTP protocol warning log for virtual server ID 1, connection #908. The remote host "204.13.248.71", responded to the SMTP command "mail" with "451 Daily Message Quota Exceeded  ". The full command sent was "MAIL FROM:<pooh@anet.net.tw> SIZE=2318  ".  This may cause the connection to fail.
---------------

How do I know where this came from and how to stop it ? Thank you
0
Johnny_Nguyen
Asked:
Johnny_Nguyen
2 Solutions
 
Viral RathodConsultantCommented:
0
 
.Commented:
Hi, Does your firewall allow all connections on TCP:25 to hit your Exchange ? if so it could be an authenticated relay which means that a user on your network may have had their password compromised allowing an attacker to send email using SMTP Authentication. The other possiblity is that a PC on your network may have malware.

Read the following article. It will show you how to increase the Transport log level to pinpoint where the attach is coming from. It will also show you a way of purging the queue quickly.

http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

You should run a syslog from your Firewall to see where the traffic is coming from.

Be sure to have password policies inplace that force complexity and account lockout and advise is to close SMTP as best you can. As an example you can improve your server performance by have an external message cleansing source, like Messagelabs or MimeCast, then lock down your SMTP so that only the IP ranges used by these MTA's can access your Exchange using SMTP.

Another consideration would be to check the queue content, are they Postmaster messages?
0
 
Johnny_NguyenAuthor Commented:
Thank you. I did all the above measures and it seems to have stopped
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now