Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Queue filling up with messages with unreachable destination

Status
Not open for further replies.

Gauntlet

MIS
Aug 9, 2001
8
GB
Hi,

I have a problem with Exchange 2000 that started yesterday. mail is not going out & the only message in event viewer is Event ID 402: Virtual Server1: Maximum number of connections have neen reached. The queue is rapidly filling up with messages with email adresses xxx@hinet.net & xxxx@sinamail.com. Anybody seen this before ? It looks very much like somthing caused by a virus but Mcafee did not pick up on anything.
 
Your server may well be being used by a spammer to send spam.

There are a number of ways this can be happening. One or more passwords to user accounts may have been cracked (especially the Administrator password), or your server may configured as an open relay.

Good luck!

Gary McDonnell
Stop Spam with TurboGeeks Block & Tackle!
 
Or there is a PC with a virus at work!

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
[/sub]
 
Thanks for your help

After I posted the problem, I went back into the system Manager & noticed that there were 5 connections to the virtual server. A quick whois search showed that these IP addresses all belonged to ISPs in Taiwan. Then checked relaying & found that it have been changed to function as a open relay.Looks like one of the engineers did this after having trouble with email earlier the week. Closed the hole & cleared the connections & spam mail. All seems OK now.
 
I've been looking, how do you check the connections to the virtual server?
 
If you look under your Default SMTP Virtual server (or whatever it is called in your setup,) there is a Current Sessions tab. In here I could see the connections (ip adresses) & time they were connected.
 
Is there any way to see what connections were made in the past. I've just managed to remove a spammer from our system, though I don't know yet where he came from and he is still attempting to logon. How can I trace him back so I can block the IP.

.gary
 
What I have done is in the Virtual server sttings to set connections to "block all except the following list" & placed my internal adress range in there. I also ticked ignore the above if authenticated. This seemed to block them from my system. Also done the same with relay. Check your event viewer, it might show the ip address of the spammer. Because the spammers who accessed my server were taking up the maximum number of connections it started showing up in event viewer.
 
gary, there are some very good and free tools like TCPview for one, on
Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
[/sub]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top