Register

Forgot Password

Site FAQ

Home > IT Answers > Exchange > Someone keeps using my exchange server

calitech

0 pts.

Someone keeps using my exchange server

Exchange security, Spam, Exchange

The queue keeps filling up. 60k messages in 6hrs. I have enabled message
filtering and check there is no relay. I tested using one of the ms articles
and I don't get
550 5.7.1 Unable to relay for user@spam.com -or-
250 2.1.5 user@spam.com
I get unrecongized email address.

I created a forward mail to {99.99.99.99} to try and stop the messages so i can clear it but they keep coming.

I am trying to use this http://support.microsoft.com/kb/324958
but the queue never stops filling up.
Right-click SmallBusiness SMTP Connector, and then click Properties. If you
have more than one SMTP Connector, the one that you want to work with in the
following steps is the one that contains the "*" (asterisk) for the SMTP
address on the Address Space tab.
3. Click the General tab. Make a note of all the settings on this tab. You
have to return these settings later in this article.
4. Click Forward all mail through this connector to the following smart
hosts.
5. In the field provided, type a false IP address and enclose it in
brackets. For example, type [99.99.99.99].
6. Click the Deliver Options tab .
7. Click Specify when messages are sent through this connector.

I checked these settings and they are correct.

Verify that your Exchange computer is not an open mail relay. To do this,
follow these steps:a. Click Start, point to Programs, point to Microsoft
Exchange, and then click System Manager.
b. In Exchange System Manager, expand the following object:
ServersYour_Exchange_Server_NameProtocolsSMTP
c. Right-click the virtual SMTP server where you want to prevent mail
relay, and then click Properties.
d. Click the Access tab, and then click Relay.
e. By default, open relay is blocked. The default settings are as follows:
? The Only the list below check box is selected.
? The Allow all computers which successfully authenticate to relay,
regardless of the list above check box is selected.

ASKED: Dec 18 2006 10:58 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

1lonedog

0 pts.

RATE THIS ANSWER

0
Click to Vote:

Sounds like you need recipient filter, check out KB886208.

Last Answered: Dec 19 2006 8:03 AM GMT by 1lonedog

0 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

shadyj 0 pts. | Dec 19 2006 10:57AM GMT

Make sure your guest account is not enabled. If you do need it enabled, change the default password. Spammers use this method in Exchange since the default password is blank.

Sidzilla 0 pts. | Dec 19 2006 11:30AM GMT

Another possibility is that one of the legitimate clients on your system is infected and acting as a spambot. I would see if there is any unusual network traffic from any particular client. I don’t know how large your organization is, but it would only take one infected client to cause this. Filters would only work if you were blocking your legit clients in a case like that.

petroleumman 0 pts. | Dec 20 2006 9:28AM GMT

Hello,

Couple things you did not mention, which queue is filling up? Is it the internet smtp (outbound) queue or a routing queue which could indicate a flood of inbound traffic? Is there a pattern to the messages? If your server has been hijacked and is sending spam, the messages may be all of one type to various recipients.

Try taking your server off line for 30-60 minutes. Clean out your message queues then bring it back on line. If there is some type of automated attack (open relay, DoS, etc.) occuring from the outside, taking it off line can stop the process by breaking the connection and causing the attacking program to begin timing out which will often shut it down or force it to drop your server for another.

While your server is off line, do some investigating for clues to the source of the messages. Double-click a message from a queue to display properties and use message tracker to try and identify the source of the rouge messages. Firewall logs can also be a good source of information as well.

Good luck!

tracybs 0 pts. | Dec 21 2006 2:49PM GMT

I too was quite worried when I kept seeing my queues filling up with a ton of emails in a retry status. I followed all of Microsoft?s articles on properly securing my server.

Anyway? it finally hit me? these are replies from your postmaster telling other people that the recipient doesn?t exist. At least that is the case on mine.

Now, at least once a week I stop my SMTP Virtual Server, reconfigure my Internet Mail Connector to forward all mail to a bogus address in my network, restart the SMTP Virtual Server, and then find that forwarder in the queue. Select it and then click ?Find Messages? ? I usually set the limit to 10000 before doing this. I then sort the list making sure I didn?t catch any legitimate mail, select all of the mail from postmaster, and delete it without an NDR (non-delivery report). I then backtrack everything so I am using DNS to resolve again and I?m good to go for a few more days.

It?s a pain but it works!

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map