We have set logging levels in Exchange 2000's SMTP settings to maximum to find out why there are over a thousand queues in the virtual server. All settings are set to not allow relaying according to Tek-Tips FAQs and M$ instructions, so we are checking for an account that is compromised and is responsible for sending out (or attempting to send out) these messages. In the event logs it shows multiple 1708 event IDs, stating something like "$servername.abcdomain.com has successfully authenticated", so is the account that is responsible named $servername? If so, I can't find where that account can be disabled (don't even know if that account should be disabled, given the name)....Any thoughts? Thanks...
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Not Relaying - Is account compromised? Massive Queues
- Thread starter mdcr
- Start date
It sounds like the flood is coming from the inside, in which case a user would be allowed to send. Is the Exchange server behind a firewall so you can check logs for access?
Do a netstat on the Exchange server to see which IP(s) are connecting to SMTP.
Do a netstat on the Exchange server to see which IP(s) are connecting to SMTP.
- Thread starter
- #3
Does it normally take a while to run (netstat)? It shows loads of TCP entries, usually "TCP servername
ort number servername.domain.com:smtp SYN_SENT" and the ports go from the 1000's all the way up to 54480, but I don't know what to make of the output.
ort number servername.domain.com:smtp SYN_SENT" and the ports go from the 1000's all the way up to 54480, but I don't know what to make of the output.Check your policies on non delivery reports and out of office responses. If you have alot of people on of office, it will respond to all spam that they receive as well, and this will generally stack up in the queue as the receiving domains are usually spoofed and either do not exist or do not accept email for those users. That's one of the evils of having out of office abilities.
Hope this helps.
J
Hope this helps.
J
- Thread starter
- #6
If I run just netstat without any arguments, it shows mostly internal addresses and names, but some of the entries show other external servers (servername.seamail.com, go.iron.com, ns0.looksmart.co.uk, etc) and other external IP addresses (like one line of code will show - TCP server:56343 216.200.34.23). I don't know really what else to do beyond that. Is there a way to block certain suffixes? I see a lot of retry attempts in the queue for domain names for Russia (gomail.ru). I'd like to block those if it will help; I know this client does not send any mail thataway...
mdcr,
is your badmail folder filling up quickly? When I say quickly, like 500 new files within a half hour? I was having this problem, and the badmail folder became corrupt, and then the queues started filling up quickly. I had to stop smtp service, rename the badmail folder (because it was corrupted) and create a new badmail folder for smtp to use. I did the same with the queue folder as it was extremely full with NDR's to NDR's from spoofed addresses using my domain. I wrote a script to empty my badmail folder every hour on the hour until I got it straightened out. apparently there is some server out there spoofing my @domain.com address with random aliases, and the NDR's get sent to my server for john@mydomain.com, these are of course non deliverable because I have no john (or other random alias) so they go to badmail folder. Unfortunately, there is no way I can stop this, so I had to deal with it until whoever's server got compromised and is doin the sending realizes it and fixes the problem.
None of this may apply to you, but it's something to check out anyway. Good luck
J
is your badmail folder filling up quickly? When I say quickly, like 500 new files within a half hour? I was having this problem, and the badmail folder became corrupt, and then the queues started filling up quickly. I had to stop smtp service, rename the badmail folder (because it was corrupted) and create a new badmail folder for smtp to use. I did the same with the queue folder as it was extremely full with NDR's to NDR's from spoofed addresses using my domain. I wrote a script to empty my badmail folder every hour on the hour until I got it straightened out. apparently there is some server out there spoofing my @domain.com address with random aliases, and the NDR's get sent to my server for john@mydomain.com, these are of course non deliverable because I have no john (or other random alias) so they go to badmail folder. Unfortunately, there is no way I can stop this, so I had to deal with it until whoever's server got compromised and is doin the sending realizes it and fixes the problem.
None of this may apply to you, but it's something to check out anyway. Good luck
J
JamesNewbery
IS-IT--Management
I have had a similar problem, just deleted the smtp connector and recreated, now have a happy exchange box again...
- Thread starter
- #9
Well, I will try both pieces of advice from Smokin' and JN. As for deleting the SMTP connector, we don't have one for SMTP - Is it the Internet Mail Connector? And if we delete it, I see that there is not an option for new Internet Mail Connector, just one for SMTP. If they are the same, I'll just take settings from the original connector and use them for the new connector, right?
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question