Solved

Exchange 2003 queue getting full

Posted on 2011-09-13
3
636 Views
Last Modified: 2012-06-21
Hi guys,

I have an Exchange 2003 server system which has been working fine but recently we get lots of spams taking advantage of our server just like an open relay.

- I've tested open relay from public but it is not an open relay.
- It only happened at certain hours (usually from midnight till 9am)

We have an AD/ISA server up front, and then an Exchange server inside. IPs as followed
- AD/ISA: 192.168.1.100 (external), 172.38.6.1 (internal)
- Exchange: 172.38.6.2

ISA is publishing all the necessary rules from Exchange server.
The "Default SMTP Virtual Server" from Exchange is "Allowing All computers which sucessfully authenticate to relay".
Right now the spams come in too often and it is taking all the smarthost quota that we have.
In Application Logs, I typically get this message:
-------------
This is an SMTP protocol warning log for virtual server ID 1, connection #908. The remote host "204.13.248.71", responded to the SMTP command "mail" with "451 Daily Message Quota Exceeded  ". The full command sent was "MAIL FROM:<pooh@anet.net.tw> SIZE=2318  ".  This may cause the connection to fail.
---------------

How do I know where this came from and how to stop it ? Thank you
0
Comment
Question by:Johnny_Nguyen
3 Comments
 
LVL 17

Accepted Solution

by:
Viral Rathod earned 300 total points
ID: 36533621
0
 
LVL 15

Assisted Solution

by:It breaks therefore I am
It breaks therefore I am earned 200 total points
ID: 36534479
Hi, Does your firewall allow all connections on TCP:25 to hit your Exchange ? if so it could be an authenticated relay which means that a user on your network may have had their password compromised allowing an attacker to send email using SMTP Authentication. The other possiblity is that a PC on your network may have malware.

Read the following article. It will show you how to increase the Transport log level to pinpoint where the attach is coming from. It will also show you a way of purging the queue quickly.

http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

You should run a syslog from your Firewall to see where the traffic is coming from.

Be sure to have password policies inplace that force complexity and account lockout and advise is to close SMTP as best you can. As an example you can improve your server performance by have an external message cleansing source, like Messagelabs or MimeCast, then lock down your SMTP so that only the IP ranges used by these MTA's can access your Exchange using SMTP.

Another consideration would be to check the queue content, are they Postmaster messages?
0
 
LVL 1

Author Closing Comment

by:Johnny_Nguyen
ID: 36813770
Thank you. I did all the above measures and it seems to have stopped
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question