Re: Massive queues in Exchange
From: Beth Belluardo [MSFT] (bethfr_at_online.microsoft.com)
Date: 04/13/04
- Next message: Paul Nixon: "server reboots with event ID 6008"
- Previous message: Lanwench [MVP - Exchange]: "Re: Massive queues in Exchange"
- In reply to: damian f: "Massive queues in Exchange"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 13 Apr 2004 10:14:16 -0400
Hi Damian,
There are 2 possibilities.
1) you are open for relay
2) you have a compromised account and someone is authenticating and
relaying from your server.
To check for the first instance, go to the properties of the SMTP Default
Virtual Server. on the Access tab, choose the Relay option. Make sure that
you have "Only the list below" selected and there is nothing in the list.
The only IP addresses that you would want to put in here are any servers
such as databases, that need to send mail through your server and can not
authenticate.
It hat is OK, we need to check under the Routing Groups\Connectors
container to see if you have an SMTP connector. If you do, go to the
properties and make sure that on the Address Space, you do not have "allow
messages to be relayed to these domains"
If both of those are OK, we need to check for a compromised account. In
Exchange System Manager go to the properties of the Exchange Server and
choose Diagnostic Logging. For Exchange 2000, choose MSExchange Transport
and set SMTP Protocol Logging to Maximum. For Exchange 2003, Choose
MSExchange Transport and set Authentication to Maximum.
Now Stop the SMTP Service in the Services. We will attempt to clear out
some of the mail at this time. Got to \\program files\exchsrvr\mailroot\VSI
1 folder. You can perform a Shift-Delete on the Badmail folder. This is
likely very large with junk mail. When you start SMTP, another Badmail will
be created.
Now, open the Queue folder. When it is Open, host the Windows Key and hit
F3. You should now see the Search Windows. We are going to search for
containing text of "Postmaster". When it is done searching, you can select
all it found and perform a Shift-Delete on them. This will all be junk
Non-Delivery reports. When you have removed them, go back into the Queue
folder. how many items do you have?
Go ahead and start the SMTP service up. Check the number of Queues. has it
gone down? After a few minutes go into the Event Viewer and look at the
application log. We are searching for Informational with an Event ID of
1708. These will contain information on who is authenticating to drop off
mail. Make sure that all the ones that are listed in these informational
should be relaying. Any account such as Administrator, make sure their
accounts have strong passwords.
If you have any questions on the above information, just let me know.
Best Regards,
Beth
-- Please do not send email directly to this alias. This alias is for newsgroup purposes only. This posting is provided "AS IS" with no warranties, and confers no rights. "damian f" <dfasciani@primavera-aus.com> wrote in message news:1723f01c4211e$be3f2000$a001280a@phx.gbl... > Hi, > This morning i realised that my external emails where not > going out. I looke in exchange and noticed that there > where 1200 mail queues. We normally have 30 at the most. > Some queues have up to 300 mail messages, and when i go > to open the queue to see the emails, there are none. It > taking all my CPU utilization and i noticed that under > the sessions tab, there are five users i have never heard > of. Could these be hackers? I rebooted the server and > number of queues dropped to about 700 and mail was fine. > BUt now its gone up agin to about 3000 queues. Are we > being attacked? How can i stop this? > > -Damian
- Next message: Paul Nixon: "server reboots with event ID 6008"
- Previous message: Lanwench [MVP - Exchange]: "Re: Massive queues in Exchange"
- In reply to: damian f: "Massive queues in Exchange"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
