SMTP flooding network - Microsoft Exchange

Hi,

Sounds as if your server is being used as a SPAM relay.

These might help:
http://www.msexchange.org/tutorials/MF005.html
http://www.vamsoft.com/orf/authattack.asp

Leif

"hobbzilla" <hobbzilla@discussions.microsoft.com> skrev i en meddelelse
news:0D3EEBC3-ADAA-4C34-BA04-A841AFE23DE6@microsoft.com...
> Running Exchange Server 2000 SP3 (Version 6.0 Build 6249.4: Service Pack
3).
> Recently internet pages were extremely slow to load on all network
computers.
> After troubleshooting, and glancing at the switch network traffic was
being
> flooded from the Exchange Server to the router. After changing network
cards,
> and further investigation.. I isolated the problem to be with the SMTP
> service. I found that when it Running, the flooding begins. When stopped..
> everything is back to normal. As this is the Exchange server, we need the
> SMTP service enabled. I am at a loss for what to do next and any help is
> greatly appreciated. I fear a worm or trojan may be at work here.. I have
> tried looking into the mail queue to see what is stored there but just end
up
> more confused. As I am not as knowledgeable about Exchange Server as
> apparently I need to be!

We use Exchange for pretty much local use only. Clients use Outlook 2k & 2k3.
Exchange is not setup to be a SPAM relay.. nor does the router allow
incoming port forwarding to the Exchange box. (Clients get e-mail via a POP3
linux server due to the free spam software installed -- which then get's
imported into their Exchange store once Outlook downloads them).

Anyway, a local user tried sending out an e-mail to a 150 or so people with
attachements of about 3.5MB. Shortly after this all users were complaining of
network slowness and some sites would time-out. After investigating I found
the problem to be the Exchange server flooding the switch & router. After
going through the lists of services.. stopping SMTP made the problem
dissappear. I cleared the SMTP Queue and restarted the service. The messages
simply came back again. The user that sent the mail is getting undeliverable
reports and continues to recieve them even after receiving over the 150 she
has sent. Now they are coming back "Delayed". Is there a way to remove the
Exchange Outgoing messages while the SMTP service is down? If I shut down
SMTP and clear the queue.. they simply come back again to try again!?!

Any help would be greatly appreciated! I don't know why they are bouncing
back in the first place -- so perhaps that would be a better solution

"Leif Pedersen [MVP]" wrote:

> Hi,
>
> Sounds as if your server is being used as a SPAM relay.
>
> These might help:
> http://www.msexchange.org/tutorials/MF005.html
> http://www.vamsoft.com/orf/authattack.asp
>
> Leif

Hi,

Check the exchange installation path\mailroot\vs 1\queue folder to see if
the mails can be deleted from there.

Leif

"hobbzilla" <hobbzilla@discussions.microsoft.com> skrev i en meddelelse
news:7C0A649E-0557-4DDF-A280-AAD1E179AE42@microsoft.com...
> We use Exchange for pretty much local use only. Clients use Outlook 2k &
2k3.
> Exchange is not setup to be a SPAM relay.. nor does the router allow
> incoming port forwarding to the Exchange box. (Clients get e-mail via a
POP3
> linux server due to the free spam software installed -- which then get's
> imported into their Exchange store once Outlook downloads them).
>
> Anyway, a local user tried sending out an e-mail to a 150 or so people
with
> attachements of about 3.5MB. Shortly after this all users were complaining
of
> network slowness and some sites would time-out. After investigating I
found
> the problem to be the Exchange server flooding the switch & router. After
> going through the lists of services.. stopping SMTP made the problem
> dissappear. I cleared the SMTP Queue and restarted the service. The
messages
> simply came back again. The user that sent the mail is getting
undeliverable
> reports and continues to recieve them even after receiving over the 150
she
> has sent. Now they are coming back "Delayed". Is there a way to remove the
> Exchange Outgoing messages while the SMTP service is down? If I shut down
> SMTP and clear the queue.. they simply come back again to try again!?!
>
> Any help would be greatly appreciated! I don't know why they are bouncing
> back in the first place -- so perhaps that would be a better solution
>
> "Leif Pedersen [MVP]" wrote:
>
> > Hi,
> >
> > Sounds as if your server is being used as a SPAM relay.
> >
> > These might help:
> > http://www.msexchange.org/tutorials/MF005.html
> > http://www.vamsoft.com/orf/authattack.asp
> >
> > Leif

"hobbzilla" <hobbzilla@discussions.microsoft.com> wrote in message
news:7C0A649E-0557-4DDF-A280-AAD1E179AE42@microsoft.com...
> We use Exchange for pretty much local use only. Clients use Outlook 2k &
> 2k3.
> Exchange is not setup to be a SPAM relay.. nor does the router allow
> incoming port forwarding to the Exchange box. (Clients get e-mail via a
> POP3
> linux server due to the free spam software installed -- which then get's
> imported into their Exchange store once Outlook downloads them).
>
> Anyway, a local user tried sending out an e-mail to a 150 or so people
> with
> attachements of about 3.5MB. Shortly after this all users were complaining
> of
> network slowness and some sites would time-out. After investigating I
> found
> the problem to be the Exchange server flooding the switch & router. After
> going through the lists of services.. stopping SMTP made the problem
> dissappear. I cleared the SMTP Queue and restarted the service. The
> messages
> simply came back again. The user that sent the mail is getting
> undeliverable
> reports and continues to recieve them even after receiving over the 150
> she
> has sent. Now they are coming back "Delayed". Is there a way to remove the
> Exchange Outgoing messages while the SMTP service is down? If I shut down
> SMTP and clear the queue.. they simply come back again to try again!?!
>
> Any help would be greatly appreciated! I don't know why they are bouncing
> back in the first place -- so perhaps that would be a better solution
>

We found that even though we had relaying turned off, people were using it
as such by supplying valid credentials - basically, users had got rubbish
passwords and a brute force attack found them.
Ensure all your users have "strong" passwords in force (so no more
Doris/Petals logins!) and see what happens...
James.

I have stopped SMTP and cleared that folder out (which contained about 70+MB
of information in 25+ files or more) after moving the files to an alternate
location an re-starting SMTP, they simply came back. I never found a
resolution to my problem but this morning the server is acting as normal. I
did change some SMTP settings to shorten the delay & retry life of all SMTP
mail. I simply turned it back on during the weekend when no one was in the
office and the queue was emptied on it's own due to its undeliverable state.
If I look at the queue now, there are FAR less domains listed and they mostly
have green checks next to them. However all but the top listing all say
(Remote delivery) after them -- I am assuming that is because Exchange
doesn't handle mail for those domains.. as the huge list said the same.. but
I'm still curious why Exchange was trying to send out all those e-mails and
exchange was reporting them undeliverable. Is there somewhere I can set an
external SMTP server to forward out all the outgoing (Remote Delivery) mail
so that it is sent properly? Or something I can configure Exchange to send it
out itself?

Again, my Exchange is connected to the internet via a firewall/router combo
box. And it _shouldn't_ be accessible from the internet.


"Leif Pedersen [MVP]" wrote:
> Hi,
>
> Check the exchange installation path\mailroot\vs 1\queue folder to see if
> the mails can be deleted from there.
>
> Leif