exch server queue is HUGE

humaxf1 · 22-06-2009 4:04pm #1

Hi all,

Was looking at exch system manager over the weekend on an SBS2003. The mail queue is huge...over 5000. All appears to be spam. I've run AV and spyware scans but to no avail. Is there a way to track down where it's originating?

All the workstations were shutdown one at a time to see if any of them were the culprit. It was narrowed down to 1 PC. The next day though, the queue had grown again with that PC turned off.

Anyone got ideas? TIA

ressem · 23-06-2009 5:54pm

It's probably not an internal PC sending the spam. Much more likely to be a misconfiguration in the Exchange setup.

Look at the mails in the mail queue, they can be opened in notepad.
By default it'll be in somewhere like

\Program Files\Exchsrvr\Mailroot\vsi 1\

If they're coming through SMTP, probably from outside then
the exchange server should have added a line like
Received: from NAME ([123.124.125.126]) by mydomain.com with Microsoft SMTPSVC(6.0.xxxx.xxxx);

Also you can enable logging on the smtp server by going to Exchange System Manager \ Servers\ <your server name> \ Protocols \ SMTP \ Default SMTP Virtual server.

Right click on this entry, properties, enable logging. Click Properties, advanced to select fields to include in the log, and it's location.

----
Having looked at the mails you'll find that your exchange is allowing one or more of the holes open by default...

such as an exchange 2003 server by default will relay mails sent with a blank sender.

Disable this under EMS \Exchange \ Global Settings \Message Delivery \ Properties
Sender Filtering \ Filter Messages with blank sender checkbox.

There's plenty of other issues, depending on whom you allow relaying permissions to. In some cases unauthenticated relaying is allowed to machines within an IP range, and a fake "from" like administrator@my.external.ipaddress.dsl.esat.net which resolves to your server will bypass Exchange's poor default filter.

If you can't afford something like GFI Mail essentials or external filtering by the likes of Ieinternet or postini, and you have apps or users that demand SMTP relaying to be enabled then there's a few infrastructure changes that might help.

E.g. creating an internal user SMTP virtual server listening for incoming connections on port 587 in Exchange for those SMTP apps and users that require it in your organisation. You'll need to carry out an audit to make sure that all apps can support this.
This server is set to demand authentication, preferably with TLS.
All users and apps are set then to use this port, rather than port 25.
Then relaying is switched off on the default port 25 virtual server.

It's possible to add basic spam checks by following the procedure
http://www.petri.co.il/block_spam_with_exchange_2003.htm

ressem · 24-06-2009 4:47pm

Sorry, you might want to scratch that last suggestion (re client submission port 587).
Exchange 2003 R2, even fully patched has a bug where it will not correctly assign permissions to send to pre-existing users when you create a new virtual SMTP server, resulting in a 5.7.3 error "Client does not have permission to send as this sender".

New users will work fine, so it works for when a system is being set up from scratch.

Unless someone knows where to look to change the appropriate permission.

johnmd · 13-08-2009 2:41pm

It sounds like you are being used as an open relay,Go into exchange system manager under SMTP and server or connectors.can;t remeber exactly where and make sure that only the allowed local subnet and the localhost address are allowed to relay.
Also untick allow authenticated users regardsless option as well unless you have remote users.

exch server queue is HUGE

Comments