Exchange 2003 log files filling up
I have an issue with my Exchange 2003 server log files filling up my drive. Normally the nightly backups take care of this issue but yesterday that all came to an end. I have checked to see if my server has been hacked and used as a relay but I have all those settings closed so I am to think either my a machine on my network is infected or our Website that uses our server as a relay is infected.
First off when I try to look at any of the log files they all look encrypted so I cannot read them and see if there is a machine on my network that is sending out emails. Is that normal? I have read that those files are plain text so that makes me concerned. I also did a full virus scan on my network and Exchange which all came back negative.
With that said where should I start with my detective work?
First off when I try to look at any of the log files they all look encrypted so I cannot read them and see if there is a machine on my network that is sending out emails. Is that normal? I have read that those files are plain text so that makes me concerned. I also did a full virus scan on my network and Exchange which all came back negative.
With that said where should I start with my detective work?
Iamthecreator
Did the backup run successfully?
You can do a simple test to see if your server can be used as a relay. There is more information here at EE member Sembee's site: http://exchange.sembee.info/network/openrelaytest.asp
You could use a program like Wireshark to look at all the traffic coming to your server and see if there is anything unusual.
Check your backup logs to make sure everything is completing, and that you can actually restore from a backup. Other than that, has there been a sudden increase in the size of the logs? Check the log settings in Exchange to make sure that the logging level didn't get increased by accident.
You could use a program like Wireshark to look at all the traffic coming to your server and see if there is anything unusual.
Check your backup logs to make sure everything is completing, and that you can actually restore from a backup. Other than that, has there been a sudden increase in the size of the logs? Check the log settings in Exchange to make sure that the logging level didn't get increased by accident.
ASKER
The Backup did run successfully but the issue still remains.
When I tried the open relay test I could not connect to my exchange server through the Public IP and Port 25. I have a spam appliance on my network so maybe that is blocking this but I will need to do some research.
I recently just cleared the stores I have on my Exchange server and now when I look at one of the stores it creates a new log file every second. When I look at the mailboxes on that store I see one mailbox that keeps increasing in size but no mail items are delivered. I had the user reset his password but that did not help.
What else can I do?
When I tried the open relay test I could not connect to my exchange server through the Public IP and Port 25. I have a spam appliance on my network so maybe that is blocking this but I will need to do some research.
I recently just cleared the stores I have on my Exchange server and now when I look at one of the stores it creates a new log file every second. When I look at the mailboxes on that store I see one mailbox that keeps increasing in size but no mail items are delivered. I had the user reset his password but that did not help.
What else can I do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is another option. As I said, wireshark will do the same thing.
If it is possible, see if you can do this test a the end of the day when everybody has Outlook closed. It will help narrow down the problem between spam being sent via Outlook, or some sort of spamware that has gone undetected.
If it is possible, see if you can do this test a the end of the day when everybody has Outlook closed. It will help narrow down the problem between spam being sent via Outlook, or some sort of spamware that has gone undetected.
ASKER
This was a complicated issue. First, Exmon did help pinpoint which application was sending the emails but it wasn't a virus or anything it was our SonicWall Firewall sending me Thousands of alerts because at the time this issue occurred we were getting attacked by an outside source. I have since blocked this IP however it was an IP run by COX and they said there was nothing they could do except recommend I block the IP. Ridiculous! Anyway thanks for the suggestion.