Queue in exchange [yahoo.com.tw , ms14.hinet.net ecc]

[chriszd]

Hi Guys,

I have an exchange server at work and everything was working fine until one day i noticed that e-mails had been taking hours and some times days to arrive to their destination.

i opened the queue in the exchange and found out 30,000 e-mails.... i manged to clear the queue, but just to find out the day after that the e-mails increased to 157,000 in the queue.

i installed a trial version if symentec mail security and it blocked only a few spam domains like, but they are still coming in.

the funny thing is that i am monitoring the queue every second and i spend hours without any trace of these e-mails, then after few hours they just popup...

Now i noticed that as soon as i shutdown the other server, the problem is not coming up ( hope so ) ...

what can be the problem that is causing all this queue? how can i treat it? i tried to find around on google but with no success...

please save my A** thanks

 

[noveyron]

Try turning off NDR's to the internet

From Exchange System Manager, Global Settings, Internet Message Format. Right click properties in right hand pane, Advanced tab. Uncheck Allow non-delivery reports.

See if that helps. If it doesnt, you may need to look at your network for malware activity

 

[chriszd]

thanks for the answeer but the queue is still coming up....



any other ideas please? much appriciated

 

[noveyron]

Now i noticed that as soon as i shutdown the other server, the problem is not coming up " - What does this other server do on your network, can you tell us a bit more about it? While this other server is down, does your mail server send/receive mail ok?

On the queue on your mailserver, is postmaster@yourdomain the sender of the emails?

 

[chriszd]

after further testing i found out tath the other server is needed for e-mails to go out too... (sorry about the previous information but this servers where not set by me )


on the queue i have the following

about 80 queues
with different connectors like
ms14.hinet.net
yahoo.com.tw

ecc

when i right click one of them and press FIND MESSAGES i get alot of garbadge e-mails queued.

I double click on any of these e-mails and i get the infomration of Sender and recepient ecc.

as a sender i got like a garbadge e-mail address (syt.100@onvol.net) *where onvol is my current ISP

as a reciever i get e-mails like the one above and also addressed to yahoo.com .tw ecc...

i will get you screen shoots tomorrow and post them too

thanks alot, i really appriciate your help

 

[noveyron]

No problem, its not fixed yet though Do make a note to make a decision about whether or not you want to switch the NDR's back on once the issues are resolved, suppressing NDRs is not generally recommended by Microsoft as is not an RFC-compliant practice.

Can you test if you are an open relay - use the relay test 1 on this link

http://support.microsoft.com/kb/304897

 

[chriszd]

Hi, After changing the NDR settings again i got about a day off from spam, but this morning again, they started to come up again...

most of then end with ****.hinet.net , which seems to be an ISP.

ms3.hinet.net
ms14.hinet.net
yahoo.com.tw

i tried to block even some IPS which where not familiar with me but all for nothing...

can't seem to fix this problem which has been going on for 2 weeks now

 

[noveyron]

Can you test if you are an open relay - use the relay test 1 on this link

http://support.microsoft.com/kb/304897

 

[chriszd]

1)

can't figure out where i need to insert the RSET in telnet.

i went on:

start
run
'telnet'
in the telnet box i typed 'RSET' and got [ invalid command ]

can you instruct me how to get at least to the first step please?

---------------------------------------------------------

also some updates...

2)

i blocked the domains from the connector of the exchange

hinet.net
yahoo.com.tw

This did decrease the queue amount by alot of e-mails , but they are still going up very slowly with the senders e-mail starting with garbadge and ending with another domain

[ 122yt55@onvol.net ] - i would easily do the same like the other domains and block it but it happens that the onvol.net is my current ISP so its not a good idea to block it too e?

3)

does it help if i also Freeze the connectors which are still coming up?

 

[noveyron]

1)This version is probably clearer, and does not include the RSET command

http://support.microsoft.com/kb/q153119/

(the to and from addresses that you type in should not be hosted on your server)

If you get 550 5.7.1 Unable to relay for address@anotherdomain.com, then we need to look elsewhere for the source of your problems. If on the other hand we get 250 2.1.5 name@theaddressyoutyped.com, then you have an open relay.

Once we have determined if you are an open relay or not, we can move on to either troubleshooting further or sorting out the relaying.

2) is only masking the problem. I would unblock the domains once the problems are resolved

3)It may help superficially, but again, it is not addressing the cause of the problem.

 

[chriszd]

i got this repsone when i did the [ telnet servername portnumber ]

220 mail."domain".com



when i type in the MAIL FROM:email address

i get [ client does not have permission to submit mail to this server .... connection to host lost ]

 

[noveyron]

did the EHLO get a response?

Are you receiving incoming emails?

Undo #2 from your post above and redo the test

 

[chriszd]

ehlo responded fine ...

sorry my ignorance but incoming mails noramlly are coming in at the moment

from the MAIL FROM: command its not working


thanks

 

[noveyron]

ah. Is it possible for you to test from outside your network ?

 

[chriszd]

i will try it from home later on today..

This is strange but beacuse as soon as i delete the queue from the queue folders (sometimes they start coming back in as soon as i start the SMTP service, and sometimes they stop poping up)

at the moment it seems that all is working fine, but this happened to me every day. i think i fixed the problem, and then they start popping up again.

will let you know when i do the test from home.

thanks for the follow up

 

[noveyron]

Apologies for not telling you earlier about testing externally, it completely slipped my mind.

I have just found this, which will give you a good idea what to expect

http://support.microsoft.com/servicedesks/ShowMeHow/101904_1.asx

 

[chriszd]

SO, im back

i tried the steps but I'm getting stuck when telneting the server..

it says connecting to .....
and after few seconds the window changes to a black blank screen and nothing happens for about 30 sec

after that i am sent back to the beginning of the command prompt.

any ideas what im doing wrong .. damm I'm feeling like an idiot can;t get anything to work

 

[noveyron]

Er, its probably not you, its more like bad info from me.

I have had a bit of a google around, this link pretty much sums up the whole lot WRT open relaying and how to fix it.

http://www.amset.info/exchange/spam-cleanup.asp

Of course, we havent yet confirmed whether you are an open relay or not yet, if you are, the above should sort it.

Apologies for any prior bad info.

 

[chriszd]

i tried the test but connection to host lost. i will try it from another location and keep you updated..

in the meantime its been about 3 days with spam free when i changed some settings...

the problem now is that i am able to send to outside emails (gmail ecc) but i am unable to recieve from gmail ecc.


what i can remember of changing is the authentication level from the diagnostic logging.

even though i changed that back to NONE no e-mails are coming in now ( at least no spam too )

 

[noveyron]

Obviously I cannot tell what you have changed to make Exchange stop working, did you document the changes you made as you were doing them? Did you perhaps change the smtp authentication?

The ExBPA may (or may not) help you find where you went wrong

http://www.microsoft.com/downloads/...1F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en