Hello,
I have a problem with one of my Exchange 2003 servers. At first I was getting a bunch of 7031 and 7034 errors regarding INETINFO.EXE, SMTP and Exchange Routing service... I poked around and discovered over 1400 .eml in my x:\program files\exchsrv\mailroot\queue folder. At first I thought my server or one of my workstations was compromised but all workstations have local anti-viral software (Norman), each server also has anti-viral software and I have a mail server anti-virus program (Sybari Antigen). I scanned every computer on the network and even tried shutting almost all of them down to see if new entries were being created in the queue. Unfortunately more entries kept on appearing so I kept on searching... By opening one of the .eml I discovered my own disclaimer that I attach to outbound emails so I though my server was acting as a mail relay. I checked for that and I was clean. I kept poking around in the .eml and discovered different origin IPs from the Internet. Am I correct in assuming that my mail server is being BOMBARDED or attacked with emails with bogus return addresses and my mail server is sending back NDR to the compromised machines/spammers on the net ? I tried stopping the exchange services and tried renaming the vsi 1 folder to something else as one of the MSKB suggested but the folder was protected. How can I stop this, it's slowing down my mail server and filling up my HD. My mail server is behind a Cisco Pix firewall but I can't block the senders IP because it's comming from everywhere. HELP ! There are about 2 to 5 new .eml created every minute !
Thanks
anthony
I have a problem with one of my Exchange 2003 servers. At first I was getting a bunch of 7031 and 7034 errors regarding INETINFO.EXE, SMTP and Exchange Routing service... I poked around and discovered over 1400 .eml in my x:\program files\exchsrv\mailroot\queue folder. At first I thought my server or one of my workstations was compromised but all workstations have local anti-viral software (Norman), each server also has anti-viral software and I have a mail server anti-virus program (Sybari Antigen). I scanned every computer on the network and even tried shutting almost all of them down to see if new entries were being created in the queue. Unfortunately more entries kept on appearing so I kept on searching... By opening one of the .eml I discovered my own disclaimer that I attach to outbound emails so I though my server was acting as a mail relay. I checked for that and I was clean. I kept poking around in the .eml and discovered different origin IPs from the Internet. Am I correct in assuming that my mail server is being BOMBARDED or attacked with emails with bogus return addresses and my mail server is sending back NDR to the compromised machines/spammers on the net ? I tried stopping the exchange services and tried renaming the vsi 1 folder to something else as one of the MSKB suggested but the folder was protected. How can I stop this, it's slowing down my mail server and filling up my HD. My mail server is behind a Cisco Pix firewall but I can't block the senders IP because it's comming from everywhere. HELP ! There are about 2 to 5 new .eml created every minute !
Thanks
anthony