Tons of emails in Queue

[julesNDC]

Last week the email server started to act bizarre. Had to reboot for emails to come in. Today we still have the same problem and when I took a look at the queue I saw a ton of emails sitting IN messages waiting to be routed, pending submission and SMTP connectors. I deleted the queues but the keep coming back fasterthan I can delete them. When looking at the senders on these emails, they are either non deliverable notification or weird email addresses. I am wondering if someone is using the exchange server for spoofing.

PLEASE HELP!!!!!

 

[msworld]

I would check the DNS settings first. This search result may help,

Sent mail stays in queue
Situation: When the client sent email to ChicagoTech.net, the mail stays in queue and never reach the ChicagoTech.net mail server. Troubleshooting: ...

http://www.chicagotech.net/casestudy/exchange1.htm

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on

http://www.HowToNetworking.com

 

[julesNDC]

Already checked the NDS settings and they look ok. This server has been working fine for 6 month and no changes have been made.
Any other ideas?

 

[julesNDC]

Also, if it is a DNS problem, how is it that rebooting the server allows the emails to go out?

 

[snootalope]

Find out where all the email are coming from. Either via your firewall, using netstat, or even a sniffer.

If they're all different IP's, this won't help, but if it's some kind of mail flood or spoof, you could block the offending IP at the firewall or the SMTP connection access in your Exchange Admin console.

FYI: I've got our company Exchange server locked down to only allow connections (smtp) from two particular IP addresses, and they both belong to our ISP. Maybe something to consider..

 

[julesNDC]

The pros are ovious but what are the cons of locking down the exchange server the way you did?
Also where do you set this up?

Thanks

 

[snootalope]

The cons? Really, I can't think of any cons! other then you'll have to add any machines IP address to the accept list if it needs to relay off your server.

I've got it set on my firewall, a PIX. And I've also got it set on my smtp protocol properites in the Exchange Manager. Just drill down to the Protocols folder under your server and hit the properties of your SMTP Virtual Server, then the Access Tab at the top, then the Connection button.

I'd recommend letting your firewall do it if you can.

Anyone who sends you an email that's legit, is going to send it to you@yourdomain.com and it's going to go through your ISP and then to you. locking it down prevents direct IP connection which you probably don't need anyway.

 

[snootalope]

Oops, rather then the connection button, use the Relay button below. sorry

 

[julesNDC]

Here some more info. Within 1 hour I got the queue was flooded with over 20,000 postmaster@mydomain.com. There is only 10 users using this email server!!!

 

[snootalope]

You've gotta figure out where the orginal messages are coming from to cause the postmaster@mydomain.com to been seen. More then likely it's just creating an NDR (non delivery report) for the sender. Use the netstat tool on your exchange server. Start | Run | type CMD, and type netstat -ano and check out the connections to port 25.

are they all the same address?

 

[julesNDC]

Only the the server is showing using port 25.

 

[snootalope]

when you check your mail servers queue, what do you see? Is it showing 20,000 messaged queued up trying to be delivered to a particular domain?

 

[julesNDC]

No, it seams to be all kinds of domains. Yahoo.com, Hotmail.com, etc

 

[snootalope]

K. If I were you, I'd stop the SMTP service via the Exchange Manager and drill down to the place your queue is kept, the default is ?:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue I believe and delete every single message in there (all the "Internet Email Message" types). Except the "~" file. don't worry about that.

Do that, restart the service, and see if they come back.

Warning though, if there are legit messages mixed in there, they're gonna be gone.. Either that, or start going through the 20,000 messages and find the valid ones. (guess you could just copy the messages out of there to a temp location, too)

 

[julesNDC]

When I stop and restart the smtp service they dissapear and slowly come back.

 

[julesNDC]

This morning I have about 15 connectors with a total of arounf 70,000 emails in queue, they all are .tw (Taiwan)and they almost all are postmaster@mydomain.com

I really need to fix this and I still don't know how.

REALLY NEED HELPPPPP

 

[snootalope]

Did you delete those files from the ?:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue directory when the service was stopped?

 

[snootalope]

Just a recomendation; If I were you, I'd call my ISP and get the subnet and CIDR of their mail servers so you can add that to your SMTP relay access list and stop relay's from any other machine out there..

 

[julesNDC]

I did delete these files but as soon as I restart SMTP, emails start to pile up right away.

 

[58sniper]

Service Pack 2 for Exchange Server 2003

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/sp2/download.mspx

How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003

http://support.microsoft.com/kb/823866

The Hidden Power of Sender and Recipient Filtering

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

SMTP tar pit feature for Microsoft Windows Server 2003

http://support.microsoft.com/kb/842851

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt