Link to home
Create AccountLog in
Avatar of rohnlawadmin
rohnlawadmin

asked on

Spam Messages in Exchange Queue

Today my Exchange Server (2003) started crawling and come to find out there's a few thousand spam messages in the queue.  I have us configured to not be an open relay and I also have it configured under connection that only Postini's servers (our antispam provider) can communicate with our Exchange Server.  Yet, I still ended up with a ton of emails queued trying to send from non-existent accounts @ourdomain.com.  Everything is trying to send to various .com.br domains.  Any idea what else I can do to stop this?  Both incoming and outgoing mail are severely affected right now so I need an answer quick.  Thanks!
SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
If only Postini can send to your server - make sure that this is the case.  If it is - then you have an infected computer on your network.
Avatar of rohnlawadmin
rohnlawadmin

ASKER

I don't think it is an NDR attack because I have recipient filtering turned on and it isn't an authenticated relay attack either because I turned on diagnostic logging and I have no 1708 event IDs in the logs.
Incoming mail is trickling in but still nothing sending.
You can use something like WireShark to see if you have large levels of traffic coming from your LAN to your Exchange Server.

Do you have external users using RPC over HTTPS?  If you do - one of the users can have an infected computer.
No, I don't.  I'm trying Wireshark now.
Alan, I got the queue cleaned and incoming email is flowing perfectly but ESM still has 64 queues of valid outgoing emails that are just sitting there.  No errors in event logs and I'm not really sure what to check as to why they aren't going.  Already tried restarting all Exchange services and SMTP.  Any ideas why the real mail won't go?
Do you send via DNS or use Postini for Outbound too?

Did Postini block you because of the spam?
We don't use Postini for outbound.  Good question though - we weren't sending spam long enough to even get blacklisted so I'm not sure but you raise a good point.  I will have my provider check with them.
Any spam that gets out has the potential to get you blacklisted or even blocked by your ISP if they notice and take action.

Always worth ruling it out especially as it sounds like nothing is leaving now.
Well the phone call to the ISP did reveal one thing.  They started blocking port 25 as of yesterday which I wasn't aware of!  I changed the firewall and both settings in the SMTP virtual server in ESM and restarted the SMTP server but everything is still in the queue.  Now what?
Slight problem.  Making that port change caused incoming email to stop too so I had to change it back.  Apparently there is some requirement with Postini that I can't use port 26 so I'm stuck again.
We have stopped using Postini because of the conflict between their port requirements and our ISPs.  MX records were reconfigured for mail to come directly to our server and I know DNS records will take 12-24 hours to update but I still can't send outgoing mail.  Both Exchange and firewall were configured to port 26 and I can see traffic in the firewall log from the Exchange server to port 26 going out so I don't understand why mail isn't going.  I did all the steps in http://support.microsoft.com/kb/153119 successfully and was able to get the test email.  I'm very stuck on where to go next!
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The ISP blocks port 25 as a matter of course as of yesterday.  They won't open it up for us or any other customers as they now block it across the board.  I am looking into an outbound relay service.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account