SBS Server 2008. Exchange spam problem.

I have a 2008 SBS server. Everything have been working fine and perfect untill the 23 of dec. The Edge Transport.exe is allocation all the memory and cpu. And the mail.que is like 12 gb. I have only 10 users and only one that is frequently used.
The server have 12 Gb ram, and it have been allocating about 7-8 Gb but now it use everything and the server is gooing slow.
I have read the logfiles and i se in "Agentlog" that ghere is like 30 files each at 10 Mb. And the same in "MessageTracking".
I have searched and tried to find a solution but i don't know how i shell do?
The server is in a education solution and in a few weeks the server shell be newly installd so there is no Antivirusprogram in that machine, and it should be installd when everything is beeing newly installed.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it was a wrong decision to let the server face the internet without antispam programe or applicance like cisco iron port or sonic wall email security minimum you should have kasper for exchange server.
now if you have a backup just restore your server and install antispam on it then connect it to the internet.
you could use also the filters that already exist with exchange and set the parameters to don't except any email except from trusted sender but you should add them to your white list manually and this temporarly till you install antispam.
Has any backups been done? Backups will remove the Exchange log files. I would run an NT backup of Exchange daily and see if this clears up the log files.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
try this, in Microsoft Exchange / Hub Transport / Anti-Spam  / Content Filtering right click go to properties and 1. send the info you have configured here and 2. under actions select to Quarantine messages that have a SCL rating greater than or equal to 5, quarantine to: (create a spam user and give this account an email address).

Log into OWA to the account you created for the spam account or preferably from a workstation so you can use Outlook 2007 / 2010. What this allows you to do is get a visual of the SPAM and where it's coming from. Many times it's one source for example you'll see 300 emails from Rolex or Viagra, you can also use the header information to track down the source.  As well you can easily delete the emails as they come in clearing out the queue. Understand this is not a permanent solution at this point it's a step in identifying the problem and clearing up SPAM that is taking over your server.

Hopefully the Content Filter SCL's can be adjusted to decrease the amount of SPAM, because you created a spam account we can view incoming SPAM and continue to isolate the problem we should see email decrease quite a bit.

I had something like this happen to a server and it ended up being an infected workstation so I don't recommend restoring the server, that's allot of work and we need to identify the problem first.

Let me know the Content Filter settings and what you see quarantined when you view in the spam account and we'll go from here.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

WORKS2011Managed IT Services, Cyber Security, BackupCommented:
to manage the size of the agentlog file try this
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
it sounds to me like you don't have the agentlog and tracking log files size set correctly so they just continue to grow which has been taking up space and memory. You can actually delete the agent log and tracking logs, maybe delete half of them all this does is prevent you from being able to track email to the earliest log.

CAUTION: DO NOT DELETE transaction logs that are used with the exchange database. As well a full backup will commit the transaction logs but it will not delete the agent or tracking logs, you have to delete manually or what I would do is change the size they're allowed to grow and how long to save them.
VserviceAuthor Commented:
Wow...that was impressive fast respons. I have a bit hard to manage this to night, but after the work to morrow im gong trough all respons and se haw i can fix this first and then secure the server at the right way.
I wonder if "norton symantec endpoint" or "kaspersky is the best"
Good luck. Personally I don't think any of them as "best", its more like a necessary evil
VserviceAuthor Commented:
Hi again!.

I have done as you said. I changed the settings for "content filtering" under "action".
I created a account spam@.....

A logged in to that trough OWA, but no message appear.
Right nog "AgentLog20111227-1 (10 241 Kb) and "AgentLog20111227-2 is creating...
The internet is going sloooooow so slow now. What can i do more.
I am going to fix this to know how i shell do next time this happen. But i AM going to fix a AV and a Anti-spamprogram.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
If your internet is slow download and run TCPView  to see what has a connection to your server. You may also find too many connections open, I remember awhile ago troubleshooting a slow server and it was DNS, there were too many instances of DNS running. I  ended the processes restarted DNS and the problem was resolved. Not saying you have a DNS problem but click on "State" to arrange the "Established" connections and go through these to see what your server is connected to. This should give you and idea if you're having slow internet. There's a number of bandwidth test sites that you can run simultaneously when you disconnect connections until you find the bandwidth increase. You can resolve the remote address by using DNS lookup.  
VserviceAuthor Commented:
To set things strait. The problem with the internet and server is slow is when "EdgeTransport" services is started. Otherwise the server and internet is working fine. I Think my server is beeing used to send spam mail. When i looked in the "TransportRoles/logs and Agentlog and MessageTracking, there is creating lots and lots of mailadresses in thouse text files. But only when i enable the "EdgeTransport" service.
And the "Spam@...." is still empety. So i don't know if i getting spam or if my server is beeing used to send spam...
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
check if you have an open relay, go to type in your domain select MXLookup then SMTP Test. Let me know the status of open relay and transaction time.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
do you have any errors reported in event viewer pertaining to "MSExchangeTransport", specifically Event ID: 15002?
VserviceAuthor Commented:
I Getting this thouh 15007 (and 15004)

The Microsoft Exchange Transport service is rejecting message submissions because the service continues to consume more memory than the configured threshold.

Resource utilization of the following resources exceed the normal level:
Private bytes = 86% [High] [Normal=71% Medium=73% High=75%]
Physical memory load = 99% [limit is 94% before message dehydration occurs.]

Back pressure caused the following components to be disabled:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from the Pickup directory
Mail submission from the Replay directory
Mail submission from Mailbox servers
Loading of e-mail from the queuing database (if available)

The following resources are in the normal state:
Queue database and disk space ("C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\mail.que") = 59% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space ("C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue\") = 59% [Normal] [Normal=95% Medium=97% High=99%]
Version buckets = 2 [Normal] [Normal=80 Medium=120 High=200]

VserviceAuthor Commented:




187 ms





187 ms



my sql


187 ms



remote desktop


187 ms





187 ms
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
Have you run Exchange Best Practices Analyzer to see if it narrows down the problem?
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
Most of the time backpressure is caused by low disk space due to log files growing to big. However it appears memory is a concern here, have you checked physical memory for errors. If you're running a Dell PoweEdge you can run the Dell Open Manage / Server Administrator and check individual DIMM's. I believe HP has an application you can run as well if you have this type server.
VserviceAuthor Commented:
I think i don't get a good result because the network is going down and processor and memory is going beserc when i start the "edge transport" protokoll. And the internet is almoast dead because of the speedproblem because the server is sending some kind of spam
So...i maby (even if i whant to find out the problem first) is to reinstall the server and WITH a antivirusprogram.
VserviceAuthor Commented:
No. I have a HP DL380 G5. But i can take it down and use a usb with HP's program to controll everything. I do that tomorrow. But when i run it without Edge Transport the server is working perfekt, fast and trubble free. But i have to do than in case of any hardware issues.
VserviceAuthor Commented:
And i think that the issue have to do with som kind of spamproblem. When i open the Agent and Meesagelogs...they ar full with 1000 and 1000 of mailadresses.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
What does your queues look like, any with large amounts of unsent mail or a message with a large attachment?

use get-queue in powershell
VserviceAuthor Commented:
This is a quoue after 10 seconds after i enabled the edge transport
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
Did you try this yet, as posted prior: check if you have an open relay, go to type in your domain select MXLookup then SMTP Test. Let me know the status of open relay and transaction time.

It takes two seconds and you can run it from any computer doesn't have to be the server.

Caution, a SPAM filter doesn't necessarily prevent things like this from happening, it helps but it mainly keeps SPAM from making to end users. If you don't isolate the problem a SPAM filter won't exactly prevent it from happening again, the only way to do this is to isolate the problem. Hate to see you do the work and get the problem come back.
VserviceAuthor Commented:
OK - ************ resolves to ***************
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
 May be an open relay.
 10.359 seconds - Not good! on Transaction tim
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
May be an open relay not good, should definitely say Not An Open Relay. What IP's are listed in "Receive mail from remote servers that have these IP addresses" in the Receive Connector.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
Being a SBS you may want to run Fix My Network
VserviceAuthor Commented: - -

And the fault in Repair the network is "SMTP-couplings for exchangeare not valid" and canot be repaired.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
What does Exchange Best Practices Analyzer tell you?
VserviceAuthor Commented:
Well...i have to run it with the Edge Transport started witch is going to slow the server down so it is almoast now doable but i can try.

Buy the way...the old que was 12,8 Gb before i moved everything to a oldfolder.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
This link may help understanding and running some of the tools available 

I'm a little worried about the "SMTP-couplings for exchangeare not valid"  error, haven't seen it before and research keeps bringing up things about partnerships and linking exchange to another exchange server, better to say I need to keep researching.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VserviceAuthor Commented:
Well here is the solution to my problem.
The first thing i did was i installet a 30-days trial of Kaspersky Internet Security.
I ran all the scans (with no fault or virus). Then i moved all (exept the latest)logfiles to a Old-map for Agent and Message file. I moved all the files in the "Queue" folder to an old, and then i restarted the server and the "edge transport" and let it work for a while...and viola...the it works just fin now.
Message log = 6 kb and 2 kb,
Agent log = 1 kb.
Queue = 1 Mb...

And i know i looses all the queue and so on...but it was worth it. because now i do as it should.
Nr 2. The dns, mx on the webhotell for the domainname was inkorrect because it hav been changed ip, and new dns to

So all to all i give you the points because all of the work with the best practices analyzer and info, did that i could solve the problem...thanks alot!!!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.