Exchange 2003 log files filling up

I have an issue with my Exchange 2003 server log files filling up my drive. Normally the nightly backups take care of this issue but yesterday that all came to an end. I have checked to see if my server has been hacked and used as a relay but I have all those settings closed so I am to think either my a machine on my network is infected or our Website that uses our server as a relay is infected.

First off when I try to look at any of the log files they all look encrypted so I cannot read them and see if there is a machine on my network that is sending out emails. Is that normal? I have read that those files are plain text so that makes me concerned. I also did a full virus scan on my network and Exchange which all came back negative.

With that said where should I start with my detective work?
TimSr. System AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Iamthecreator OMCommented:
Did the backup run successfully?
0
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
You can do a simple test to see if your server can be used as a relay. There is more information here at EE member Sembee's site: http://exchange.sembee.info/network/openrelaytest.asp

You could use a program like Wireshark to look at all the traffic coming to your server and see if there is anything unusual.

Check your backup logs to make sure everything is completing, and that you can actually restore from a backup. Other than that, has there been a sudden increase in the size of the logs? Check the log settings in Exchange to make sure that the logging level didn't get increased by accident.
0
TimSr. System AdminAuthor Commented:
The Backup did run successfully but the issue still remains.

When I tried the open relay test I could not connect to my exchange server through the Public IP and Port 25. I have a spam appliance on my network so maybe that is blocking this but I will need to do some research.

I recently just cleared the stores I have on my Exchange server and now when I look at one of the stores it creates a new log file every second. When I look at the mailboxes on that store I see one mailbox that keeps increasing in size but no mail items are delivered. I had the user reset his password but that did not help.

What else can I do?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

HariomExchange ExpertsCommented:
Can you please download Microsoft Exchange Server User Monitor (EXMON) and check who is sending the SPAM mails ?

http://www.msexchange.org/articles-tutorials/exchange-server-2003/tools/Microsoft-Exchange-Server-User-Monitor.html

In my case one of the computer on the network was infected with virus OR spyware and this infected computer was sending too much spam e-mails to the server
After Research we have downloaded the EXMON on the server and we got the IP Address of the client Machine which was sending too many traffice to exchange server
We have simply removed this machine from network and suddendly Generating of Log Files on the server Reduced
then we have scan the computer and found some virus and spyware.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
That is another option. As I said, wireshark will do the same thing.

If it is possible, see if you can do this test a the end of the day when everybody has Outlook closed. It will help narrow down the problem between spam being sent via Outlook, or some sort of spamware that has gone undetected.
0
TimSr. System AdminAuthor Commented:
This was a complicated issue. First, Exmon did help pinpoint which application was sending the emails but it wasn't a virus or anything it was our SonicWall Firewall sending me Thousands of alerts because at the time this issue occurred we were getting attacked by an outside source. I have since blocked this IP however it was an IP run by COX and they said there was nothing they could do except recommend I block the IP.  Ridiculous! Anyway thanks for the suggestion.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.