Re: Joe Jobbing?
From: Andy Webb (awebb_at_swinc.com.spamsucks.com)
Date: 02/18/04
- Next message: Scott Townsend: "Getting Exchange Tools on DC"
- Previous message: vagabond: "Re: Joe Jobbing?"
- In reply to: vagabond: "Re: Joe Jobbing?"
- Next in thread: vagabond: "Re: Joe Jobbing?"
- Reply: vagabond: "Re: Joe Jobbing?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 17 Feb 2004 23:36:40 -0600
If your users connect with Outlook using MAPI or use OWA, then there should
be /nothing/ in the allow relay box. Also, the "allow computers which
successfully authenticate" should /not/ be checked on your server. Neither
the server address nor the loopback address should be listed.
Without knowing where the messages came from, it's hard to say what caused
the relay.
Are Message Tracking logs and the SMTP protocol logs enabled and configured
to capture suitable information for diagnosis?
Andy
"vagabond" <adivvy@hotmail.com> wrote in message
news:uevC3zd9DHA.3648@TK2MSFTNGP11.phx.gbl...
Thanks Andy
I have followed the steps in q324958 and am slowly getting rid of blocks of
messages.
However, in the "Configure the Exchange Server to Block Open SMTP Relaying"
section I examine the default smtp's relay properties and find that the
server's IP (192.168.16.2) and loopback (127.0.0.1) addresses are present.
The KB article says:
"The default settings block open relay. The default settings are as follows:
a.. Select Only the list below.
b.. The Computers dialog box shows Access Granted to the Internal IP
address of the Small Business Server network and to the external IP address
(if the server has more than one network card.)
c.. Make sure that Allow all computers which successfully authenticate to
relay, regardless of the list above is selected."
Should the loopback address be included here (in fact, why does anything
need to be here - my exchange2000 box has nothing present here).
Also, this smtp server is not visible to the internet - all mail is received
via the POP connector - so how do I protect against that sort of relaying?
Cheers
John
"Andy Webb" <awebb@swinc.com.spamsucks.com> wrote in message
news:%238VK$8c9DHA.2472@TK2MSFTNGP10.phx.gbl...
> The easiest way to deal with this is to create an SMTP Connector with an
> invalid smarthost specified. That will allow you to requeue everything
from
> the 2000-3000 queues into a single queue which you can freeze and then
> delete items from.
>
> 279616 - XCON: Adding a Registry Key to Re-Categorize Messages:
>
> http://support.microsoft.com/?scid=kb;en-us;279616
>
>
> There are internal queues within Exchange that aren't visible to the queue
> viewer interface and that is where the new messages are coming from - in
> addition to possibly still coming in from externally.
>
> Good luck.
>
> Andy
>
> "vagabond" <adivvy@hotmail.com> wrote in message
> news:e%23Vwrka9DHA.1596@TK2MSFTNGP10.phx.gbl...
> It's now gone back up to 2095 queues with a minimum of 8 messages in each
> queue. What can I do?
>
> I forgot to add previously that I had also enabled filtering of users not
in
> AD (to little avail).
>
> John
>
>
> "vagabond" <adivvy@hotmail.com> wrote in message
> news:Ok10T7Z9DHA.2432@TK2MSFTNGP10.phx.gbl...
> Hi All
>
> I have an annoying situation.
>
> My client phoned this evening with tales of woe concerning his mailbox
> filling up with messages.
>
> I logged in and saw 2500 queues (all SmallBusiness SMTP Connectors). I
> disabled outbound mail, stopped the virtual smtp service, deleted all
items
> from the \badmail and \queues directories.
>
> I then disabled NDRs from the global settings tree and remover the
client's
> own email address from the "also deliver a copy of NDRs to" field.
>
> Then I manually deleted all the remaining messages within each queue (how
> come these still remain after deleting the \queue directory?). There were
> still over 1000 messages in 300+ queues.
>
> Things looked good so I restarted all the services - all looked good.
> However, I went back in an hour later and found 3000 queues. This time I
> cannot delete any/most of them (only two in the \queue dir).
>
> It occurs that this client only uses the POP connector to collect inbound
> messages. From looking at the two in the \queue dir it seems that
> someone/thing is trying to relay though the POP connector. ie:
>
> Received: from mail pickup service by server01.<my_client.local> with
> Microsoft SMTPSVC;
> Tue, 17 Feb 2004 20:15:51 +0000
> content-class: urn:content-classes:recallmessage
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Subject: Recall: Determined to Succeed: Launch of Partnerships between
> Business and Education
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> Date: Tue, 17 Feb 2004 20:15:51 -0000
> Message-ID: <000001c3f592$d6b03b90$0210a8c0@my_client.local>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: Determined to Succeed: Launch of Partnerships between
Business
> and Education
> X-Mailer: Microsoft CDO for Exchange 2000
> Thread-Index: AcP1einPUtIFDANeTTeYhSeqwhvUSg==
> Priority: Urgent
> Expiry-Date: Thu, 19 Feb 2004 17:18:27 -0000
> From: "Law, Lesley Anne" <LesleyAnne.Law@,some_domain.co.uk>
> To: <info@random_domain.co.uk>,
> <info@random_domain.co.uk>,
> <info@random_domain.co.uk>,
> <info@random_domain.co.uk>,
> <info@random_domain.co.uk>,
> <21stcenturyflats@random_domain.co.uk>,
> <billylimbo@aol.com>,
> <billylimbo@aol.com>,
> <vincent@random_domain.co.uk>,
>
> ... repeated hundreds of times ...
>
> Two questions:
>
> 1. How do I protect against this?
>
> 2. How do I delete the queued messages (which don't appear in the
queue)?
>
> 3. (OK 3) each message is 85KB but I cannot find how to look at their
> contents; is this a virus trying to do the rounds?
>
> For the time being I have disabled the POP connector but this will need to
> be re-enabled tomorrow.
>
> thanks
>
> John
>
>
- Next message: Scott Townsend: "Getting Exchange Tools on DC"
- Previous message: vagabond: "Re: Joe Jobbing?"
- In reply to: vagabond: "Re: Joe Jobbing?"
- Next in thread: vagabond: "Re: Joe Jobbing?"
- Reply: vagabond: "Re: Joe Jobbing?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
