SMTP Connector has over 3 million messages 1

[bennetje]

My outgoing mail queue has over 3 million messages.
The ISP server provider has blocked us, until it is fixed.
How do I trouble shoot this? From where came this messages.
Looking at a some of them the sender and recipient are not from our company.
For now I have disables outgoing mail.
How do I delete all this messages? I can display 1000 every search, and than delete? Is that the way?
Our system setup is a SBS2003 server behind a linux firewall with only port 443 open for https connection to be used by OWA.
Please give me some help here.
Thanks so far.
/Ben

 

[MalcolmS]

Ben,

Sounds like your exchange server is not secured against relaying. Have you tested for open relay?

M~

 

[DColcl]

I had the same problem. on this site, do a search for Mail Relay or just plain "Relay". give me a moment and I'll see if I can find the tread for you.

Malcolm is right though in that it is MOST likely your Exchange server is open for relay. You may also have to contact a "Black List" site and have your domain name removed from its listing.

As for the message que? Well, I had to go and delete all of these a chunk at a time. 99% of mine was just spam.

Also, I found that the "hacker" was able to exploit my exchange server because on my Local Administrator account (NOT THE NETWORK ADMIN ACCT) was left blank. I had to remove the exchange server from the network and log on to the box locally. Then create an Administrator password. Then I rejoined the server to the domain.

Hope this Helps.

Dan

 

[DColcl]

Here's my post:

http://www.tek-tips.com/viewthread.cfm?qid=847810

but there's another thread out there that really goes in depth as to this issue. It was quite popular at the time with MANY contributions from this site's subscribers.

Dan

 

[DColcl]

here's something from MS that may help as well.

http://support.microsoft.com/?kbid=324958

Dan

 

[DColcl]

and here is the Grand-daddy of a thread I mentioned earlier

http://www.tek-tips.com/viewthread.cfm?qid=655444

 

[bennetje]

Hi Dan, Thanks for you reply. I followed the MS article and I think it is a NDR attack. Many postmaster mails, but also many other mail. Because port 25 is closed I think we can not be used as a relay, yes is that true?
We forward the mail to a providers SMTP server.
To flush the queue there is a MS utility what is handy.
name is aqadmcli.exe use command delmsg flags=all
Delete the queue within 10 min.
I stil get spam in the queue, dont know from where, but I will dicconnect the server to see if they are from a local pc work station.
/Ben

 

[DColcl]

yeah, I still get those Postmaster email queues and I, too, do not know where they are coming from. I've asked several folks and no one has a clear-cut answer. Fortuantely, after a while these small number of queues are removed from the server.

 

[devastator]

What you might want to implement "Inbound Recipient Filtering".

I don’t know half of you half as well as I should like, and I like less than half of you half as well as you deserve. ~ Baggins

 

[gurner]

saw a server once that kept being used as a relay, even though it was tied down in the system manager.

seemed to be going through Inetpub queues folder, must have been an exploit or hack of SMTP service?

never found cause or culprit (no time, was all going off, poor i know), but shut all down, cleared queues, and stuck an SMTP filter on spare box between Exch and FW.

hasn't happened since

Gurner

http://www.divineparadox.co.uk