HELP My IMC Que Keeps Filling UP

[njwebtech]

I have a major problem with someone or something that keeps filling up my IMC outbound que with 10000 messages, when i clear the que and do a refresh there are 10000 more differnt messages there, i clear those and get another batch. can anyone help me please!

Thanks
Phil

 

[HD101]

Sounds like your acting as an open relay. See FAQ10-1779. There are also other postings about being an open relay that can help.

 

[xxxfeind]

I have the same problem here at my office. 10000 seems to be the majic number. I believe I closed the open relay and also set the servers must authenticate option on to see if that stops the problem. But you must restart the IMS service. The service stops ok but when i try to start the service it hangs and eats up all my CPU resources. I have a question about making servers authenticate, will that stop legitamet e-mail from being delivered or just stop the spammers from accessing my server? I'm sorry if these sound like dumb questions but I'm kinda new to exchange 5.5. if anyone can help let me know. Thanks in advance.

 

[njwebtech]

I think that i have the open rely closed, but i still cannot get the que to clear, when i clear it, it still comes back with 10000 messages, and i looked at the event viewer and it is still chugging away sending them damn emails. I have tried changing the transfer mode to none(Flush ques) stoped and started the IMC and there still there. Anyone else having this problem??????

Phil

 

[xxxfeind]

ok how is this for a fix. Our server never had an admin password so i think that who ever was dropping those emails to be sent was just logging in and doin their bussiness. so make sure your accounts all have passwords. set the passwords under services to match your login passwords or when you log in the services will get an error starting up.
well anyway thats what i did, now i have to sit back and make sure it works. please dont think i'm a dummy for not having passwords set i'm just picking up the pieces since the guy who formerly had my job didnt know what he was doing. so a password is a base i thought would have allready been covered.

 

[njwebtech]

Well i finally got the ques cleared, it lasted for about 2 mins, and here they come again, this time when you look at the originator there is none!!! all you have under originator is < >, now what is this all about?

Phil

 

[xxxfeind]

changing password does not help the e-mail ques are full again as for the <> it could be an NDR. i give up, time to light a match.

 

[godcom]

I would agree that you are being used as an open relay

check out this link

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958

Also check that you don't have a worm or a virus and turn OFF NDR to the internet. This way the messages will deliver to the admin mailbox and not get into your outbound queue

Let me know how you go

Steve

 

[njwebtech]

What I did was shut down the server yesterday, and when i came in this morning, it was good for about 10 mins then it started again. so i spent some time reading the imc logs, and found out there was someone slamming my server, i located the ip address in the log, and added it to the routing restrictions, and added to the can NEVER route mail, the ques have been clean for over an hour now.

THanks for everyones imput.

Phil

 

[xxxfeind]

ok password on admin account changed and the imc has not had any new connections since yesterday but the ques are still full. every time i delete a few messages from que it fills back up again. my server is too old and slow to handle trying to delete all 10000 messages at the same time because it hangs. i think there might be a trojan in my server that is generating these e-mails to be sent. a remote connection was made yesterday at 1:52pm and according to a search of modified files on my hard drives at that time there was an odd file. i opened it up and i'm not sure because i'm not a programmer but it looks like script to disable my antivirus. this is what it looked like.

<Originator: ><152>
 0Â # Norton AntiVirus Corporate Edition
<Static Alert: Configuration Change ><97>
ÐÂ Â # Norton AntiVirus Corporate Edition  Configuration Change
<Alert Params: ><34>
 Hostname  Description
<Static Alert: Norton AntiVirus Startup/Shutdown ><110>
€Â  Â # Norton AntiVirus Corporate Edition  &quot;Norton AntiVirus Startup/Shutdown
<Alert Params: ><34>
 Description  Hostname
<Static Alert: Virus Definition File Update ><105>
@Â PÂ # Norton AntiVirus Corporate Edition  Virus Definition File Update q
<Alert Params: ><34>
 Description  Hostname
<Static Alert: Scan Start/Stop ><92>
0Â Â # Norton AntiVirus Corporate Edition  Scan Start/Stop
<Alert Params: ><56>
6  Description  Logger  User  Hostname
<Static Alert: Virus Found ><88>
ð °Â # Norton AntiVirus Corporate Edition  Virus Found
<Alert Params: ><111>
m  Virus Name 
File Path  Requested Action  Actual Action  Logger  User  Hostname
<Static Alert: Default Alert ><90>
 # Norton AntiVirus Corporate Edition  Default Alert
<Alert Params: ><77>
K 
AlertName   Default Alert ( Failed Alert Name  Failed Alert Name

looks kinda wierd to me any thoughts?