Solved

Spam emails filling up Exchange 2003 Queue

Posted on 2012-04-03
10
640 Views
Last Modified: 2012-04-04
All

I'm at my wits end.  I have a sbs 2003 with exchange and the queue seem to be constantly filling up.  I scanned pcs and servers with Malware Bytes, combofix, and Symantec.  Under the default virtual server I see some connections under the [current status].  These ips are known to be bad.  I terminate them but them come back after a while.  I need some program to trace where these are coming from.  I even shutdown every pc except the server and a couple other critical pcs.

help
0
Comment
Question by:jacobb_2000
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37803481
My article discusses an Authenticated Relay situation (as well as an NDR attack) and due to the volume of Authenticated relay Attacks I have seen of late, I would suspect that this is what is happening.

Please have a read of my article and work through the logging level increase to isolate the account.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan
0
 
LVL 12

Expert Comment

by:Deepu Chowdary
ID: 37803500
Enable IMF settings and create a new Virtual SMTP server, rename the queue and restart the Smtp service.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37803504
I had this happen to a client. We put them on MXLogic, tightened their firewall down to not accept or send ANY mail inbound or outbound unless it goes through MXLogic, it went away immediately.

It will take a long time to blacklist the IP ranges from China and Korea in your firewall.
0
 
LVL 12

Expert Comment

by:DLeaver
ID: 37803576
One way of stopping this when I have had this issue is adjusting the SMTP authentication/relay settings as I posted in this previous post here

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_27606804.html

This won't empty your queues once they are full but it should stop Exchange from getting full of SPAM once you have empted them- nice and simple
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 9

Expert Comment

by:Geodash
ID: 37803591
What happened to a previous client of mine was they put the wrong setting somewhere in Exchange, I don't remember where, which allowed their server to be a relay from the web with some vulnerability on the server, Microsoft has patched it since. We fixed it and locked EVERYTHING down through MXLogic and the Sonicwall now absolutely nothing gets through.

There Queue was filling up with over 200,000k SPAM messages a day
0
 

Author Comment

by:jacobb_2000
ID: 37803642
Alan

I removed basic and integrated auth.  so far so good. let me give it a day or two and will give you the points if that solves the issues.
thx

Jake
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37803649
So removing basic and integrated auth, if a spammer out there is still sending say 2,000 mails per hour to your server, your server is still processing them, just not letting them through. There is still overhead and bandwidth and latency and everything else. I hope it fixes the issue.
0
 

Author Comment

by:jacobb_2000
ID: 37807373
Alan

so far all looking good.
thanks a lot.

I will give you all the points

jake
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37807388
Thanks Jake - glad your problem is sorted and thanks for the points.

Alan
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Exchange 2013 -Load Balancing 5 33
Import Cert issue 15 41
exchange, outlook 6 29
MX Backup 4 37
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now