Re: SMTP Queue - Suspect virus/spam

Its not really Exchange or Windows fault that the problem has occurred. Its
much more likely the SMTP server was never properly secured to begin with,
allowing relay access to internet and internal computers. Additional software
wouldnt do much to fix this.

Your primary concern now should be to disconnect the server from the
internet, run Aqadmcli to flush all mail, secure the smtp server and verify
it is not an open relay then look at running a virus scan on the server (and
all your client machines)

See http://exchangeorg.net/archive/2004/06/30/9.aspx for instructions on
using the tool.

Once everything is back to normal, definitely look at some form of Exchange
anti-virus/anti-spam. I would recommend Puremessage from Sophos.

If you cant flush the emails yourself, get onto PSS services and have them
talk you through the steps needed.

"Toxic" wrote:

Thanks Kieth, looked at all of these and still I get these emails.
What shoul I be using to stop this (anti-virus, spaming software ?)
I was told there is a hotfix for this in SBS 2003

"Keith Lawrence MCP" wrote:

It sounds like your smtp server has been hijacked, whether internally or
externally.

If its an external machine that has initiated the spam attack, you can do
the following:

1) if the smtp queue is still filling up, use Aqadmcli.exe to flush all
messages. I think you need to contact PSS for this tool but it can be found
by googling.

2) Go to your Exchange system manager and open the SMTP virtual server
properties. Click the Access tab then Relay then make sure "only the list
below" is selected. Also tick the "Allow all computers which
successfully....."

3) Now check your smtp server is not an open relay by going to
http://www.abuse.net/relay.html and inputting the relevant details.

There is also an MS KB on this :

http://support.microsoft.com/kb/324958

Good Luck!



"Jane C" wrote:

http://www.wireshark.org/

--
Jane, not plain ;) 64 bit enabled :-)
Batteries not included. Braincell on vacation ;-)
MVP Windows Shell/User

"Toxic" <Toxic@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6AD30402-37F4-4DA5-A0E1-69A564DBDB8C@xxxxxxxxxxxxxxxx
Thanks for the quick responce. I found the pc it came from.
Where do I get wireshark
How do I check open relay
Which Malware

"Henry Craven {SBS-MVP}" wrote:

You can open the .eml file in notepad and check it out.
That will give you an idea of what you're dealing with.
Run a network sniffer ( wireshark ) and process monitor ( procmon ) and
see
what's going on on your network
Make sure you're not an open relay.
Malware scan your server and all workstations.
Make sure no one unauthorised is getting in via Wireless access, or wired
for that matter ( change all passwords )

If you've been compromised see if you can find out when and then roll
back
to a known good state.
Assess the consequences of the intrusion and possible data Loss and
tampering on the business / clients.
eg. tampered client records can be lethal ( e.g. allergic to antibiotics
yes/no )
Regulatory compliance / disclosure ?

that should do for a start.
--
Henry Craven {SBS-MVP}


"Toxic" <Toxic@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:89B5BD6C-58D3-4002-8E50-7B7F6B4287EB@xxxxxxxxxxxxxxxx
Help guys please, got a email from the server complaining about the
smtp
queue, went to go and look HUH 2gig of email waiting to go out. So I
started
deleteing the emails but when I had deleted all of them the emails
starting
appearing in the queue gain. So I looked in the vsi1 queue and moved
the
email out of there into another folder and then restartedc SMTP and it
was
fine.

My question is how do I solve this problem or find out how to stop it
or
am
I not protected enough.
I still have some of the emails in another folder the extention is
.eml, I
would post here but they are quite large.

SBS 2003 SP1
Exchange SP2


.

Relevant Pages

  • RE: Your message did not reach some or all of the intended recipients.
    ... Thank you for posting in the SBS newsgroup. ... protocol error (SMTP error). ... 284204 Delivery Status Notifications in Exchange 2000 Server ... emails, and using DNS to send outbound emails. ...
    (microsoft.public.windows.server.sbs)
  • Re: SMTP Queue - Suspect virus/spam
    ... There was no mail in the smtp queue. ... and 30 minutes later went to go and check the queues and hey hey 9000 emails. ... If your server has been sending out ... Now check your smtp server is not an open relay by going to ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Outgoing E-Mail
    ... What method is used to deliver the outbound emails? ... Right click "SmallBusiness SMTP connector" and choose Properties. ... type the FQDN of the ISP's email server. ...
    (microsoft.public.windows.server.sbs)
  • RE: Server hacked/being used as spammers haven...
    ... I understand that your note that Exchange ... 2000 on SBS 2000 send many spam emails outbound. ... I think your Exchange 2000 may open SMTP relay. ... Windows Small Business Server ...
    (microsoft.public.windows.server.sbs)
  • RE: cannot send emails to somebody@AOL .com
    ... The sending server ... I also have tried to telnet AOL by using the same command, ... This is used to prevent spam emails which use fake SMTP ...
    (microsoft.public.windows.server.sbs)