Re: Possible worm...please help

"Matthew Laping" <mlaping@xxxxxxxxxxxxxxxxxx> wrote:

Not sure if this is the proper place for this, but since it is Exchange
related let's start here. I had started to notice that out bound emails were
not getting delivered. When I checked the Event Viewer I came across the
following message:

The inbound SMTP queue currently exceeds 4000 items. The Internet Mail
Service will not accept inbound connections until the inbound content
conversion queue has dropped below 3000 items


I also noticed that the Outbound Message Awaiting Delivery queue was filled
with emails awaiting delivery. For the most part the Originator is the same.
So I started to think my server was infected with a worm. I disconnected the
network cable and after deleting all the messages in the queue, they kept
coming back...about a thousand a minute!

Probably queued up NDRs.

I have scanned the server with
Nortona Anti-Virus and with Spybot, neither found anything. What else can I
try? Is there a way to see the emails and see where they are coming from?

My first guess would be that they're NDRs from messages sent to
non-existant addresses in your domain. Have a look at a few of them in
the outbound directory and see what they are.

Exchange 5.5 should never be connected directly to the Internet. It
was bad enough in 1997 but today it's subject being overwhelmed by
spam (even more so than it was back then). Stand up a Windows 2003
server (or Linux/FreeDSB) as a SMTP relay and start refusing to accept
messages sent to addresses you can't deliver mail to. You can, if you
like, also use a DNSBL on the relay to reduce the number of inbound
connections to your Exchange server.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • Re: Possible worm...please help
    ... different ways to help secure your server:. ... I had started to notice that out bound emails ... The inbound SMTP queue currently exceeds 4000 items. ...
    (microsoft.public.exchange.admin)
  • Re: Macro to send messages with BCC to separate queue group?
    ... emails out and those emails are typically BCC'd to the domain of the ... you MUST guarantee fast delivery after "periods of delivery problems" ... I would suggest you using separate queue groups for top 20-100 ... destinations and multiple queue directories in default queue. ...
    (comp.mail.sendmail)
  • Re: How can i send and recieve email when not connecting to internet?
    ... the SMTP Service stores the emails waiting for delivery in queue ... Emails sent to the local domain are delivered to the Drop folder ... > will stay in the Queue folder and when their delivery wait limit expires, ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Possible worm...please help
    ... I had started to notice that out bound emails were ... The inbound SMTP queue currently exceeds 4000 items. ... I also noticed that the Outbound Message Awaiting Delivery queue was filled ...
    (microsoft.public.exchange.admin)
  • RE: SMTP is killin me....
    ... Delivery Status Notification ... And the queue is loaded with emails I have been trying to send out from many ...
    (microsoft.public.exchange.admin)