Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tons of IMS queued messages with no originator--spam? 15

Status
Not open for further replies.

ERake

MIS
Apr 4, 2003
9
US
I am seeing a lot of messages in my outbound queue going to addresses that look spammy, but they have no originator. Where are they coming from?? Thank you.
 
Thanks again, everyone. Looks like I wasn't so alone with my problem, after all. Brontosaurus' answer sounds like a winner!
 
wooh...that helps explain everything. been banging my head on that one for a while...you get a star for that. Thanx :)
 
Hi! I am new to this forum and was searching for information regarding outbound messages in queue. Looks like I am not alone in the situation. Thanks for the information it was very helpful.
 
brontosaurus,

I have done all the &quot;anti-relay-fixes&quot; suggested by quell. The only thing I am wondering, is, How long do I wait until these <> messages dissapear fom the outbound queue (after I started my Internet Mail Service again)? The last time I left I turned Internet Mail Service on, it backed up until there were approx 44,000 messages, and I had an error message stating that the outbound queue had reached it's maximum limit. Then I stopped the service, and deleted all of those outbound messages from the imcdata\out directory, so as -to also save space on the hard drive. When I turned the service back on, All the messages have returned, and I am concerned that it will back up in the outbound queue again - and possible DoS the system by filling the hard drive up. Any comments, if this is normal (ie, deleting all the messages, and then they all return again)?

Also, should I leave the Internet Mail Service on, until the messages finally dissapear? I don't even know if they eventually will dissapear. I have heard that the default is 48 hours. Maybe there is a setting to turn that down...


Thanks to all the insight from everyone above. This thread has confirmed a lot of my personal research thus far into the problem.
 
I feel like a huge idiot now... but Experience is the best way to learn. The outbound queue, did in fact continue to build .... and build... and build. I was getting worried.... and alomst stopped the service, but I wanted to test it out and wait until I absolutely had no room to wait. I am pleased to say, as to be expected (as I now know)... they began to dwindle (finally). When there were about 600 left over, that had been attempted to send out already -and were aiting to go again, I finally just deleted those. Anf the whole thing is back to normal. Yeha!

Thanks for the posts everyone. This was great.
 
Thanks everyone, that was definately an annoying experience! I appreciate your fix quell, and everyone's input.
 
There is also a faq on it for more info: faq10-1779
 
Brontosaurus,

Good diagnosis on the NDR. I have the problem and ISPs are constantly running open relay tests on my Exch55 server. BTW, relay is definitely blocked on my server.

How does one disable ALL NDRs?

I hate to do that since mistyped emails will not generate NDRs to people who really want to send us mail. But as admin, I guess I will have to manually forward all misdirected email.

 
And here's how to get rid of the <> messages for good -
See my FAQ entiteled Non-Delivery Reports.
Hope this helps you all :)
 
This is all good information and if you called Microsoft for $275 they would tell you the same thing. The other twist I have to this puzzle is that our &quot;friends&quot; from 211.167.74.x have been able to authenticate as \admin. There is no admin account. Just Administrator. I ran AntiTrojan and found nothing on the exchange server to open up a backdoor. This has left me dumbfounded on how some one is authenticating and what to do
 
In response to folsom2004 question about queue/message timeouts... In the Internet Mail Service configuration, you will find the settings under the Connections tab. Look for Service Message Queues - Retry Interval - Timeouts on this tab. In the Timeouts, you can tweak the message timeouts for urgent, normal, and non-urgent messages. Using these timeouts, shorten the length of time that a message will be retried before being dropped from the queue. This will help in keeping your queue cleaned out.
 
Another option is to place an SMTP Proxy in front of your Exchange Server and accept mail only to your valid addresses instead of @yourdomain.com. I have done this and everything else that is not valid bounces back from the SMTP proxy service leaving the Exchange Server alone to handle legitimate email.


Dev
 
Hi! i have the same problem with jkamas, someboody authenticates as \admin or \webmaster although there are no such accounts. And the spam ocean begins!!!! Any ideas how to stop it? jkamas did you find a solution to your problem?

george
 
I had same authentication problem (lots of 2010 events in event viewer application log) -- I disabled the guest account and it went away (now I have lots of 4183 events failed attempted logins from 218.70.136.0/20) I'm trying to block those by creating a host connection access list: at the top of the list are those that I wont accept connections from, and at the end of the list i have a quad 0. like this:
218.70.136.0 mask 255.255.240.0 block
0.0.0.0 mask 0.0.0.0 accept all I'm hoping the rules get applied like a Cisco Access List.

Anyone tried this on the connections tab?
 
Thank You &quot;Winr&quot; - I'm just reading this tread and was wondering why no one mentioned the guest account. According to MS Support, an enabled Guest account is number one vulnerability for sites that have closed email relaying.

Good one!
 
This stuff is all good ,we have tried many of these options, but we are still getting our outbound queue growing. yesterday all was normal, and then again this morning we 77,000 out bound messages in the queue. the address were somting like <> and dfkand01,dfkbnd, dfkcnd and so forth. I would really like to fix this problem. if anyone and help please let me know. khestad@xltg.com

thanks
 
I have this problem now and have found this thread for first time and have tried all the open relay items above with no abatement of the spam being sent from my clients exchange 5.5 server, service pack 4. An interesting note is that I can disconnect the system from the Internet (small office with a DSL connection with Static IP) and it will continue to generate these emails. Any worms out there that avoid detection and run off spams from the local machine? Maybe?
 
to MtnMike,
I have the same Problem. We also have done the same thing you have. unpluged everything except the exchange and the pdc, but when we un plugged the exchange server from the inter net the queue stopped. I don't think its a worm, but so far we have not been able to stop this queue from building. The only thing we have not tired is to add the list that is mentioned in one of the post to the registy. Maybe there is some one here that knows exectly why and how to stop this problem. I thank eveyone for all the imput here. Please help.
 
to kastad,
The que on this server is building because it cannot keep up with the number of spam emails being sent so it backlogs until it can get them sent out, at least that is what it seems. But these are SPAM emails for HGH Growth hormones as I can get to some of them in the imcdata\out folder before they are able to leave the system. I am afraid to try the above mentioned &quot;let the que clear,&quot; I don't want to let a bunch of spam leave through this server if that is what is happening.

I asked if it was a possible worm because the server should not have been an open relay before, but I have gone through and made the settings change of checking the IP box in the routing restrictions and not adding any IP addresses. Ultimately what is happening though is that the Exchange server is getting so backlogged that performance is brought to a crawl on that server (single cpu, 128Mb Ram) so leaving it to see if the que eventually clears is not really an option that I think my client will want to take.

Is this what you are experiencing?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top