Question : Exchange 2003 Server Mail/ Spam issues

In the past couple of days, I have been experiencing huge lags in internal and external email. I found a couple of problems;

1. Spammers were attempting to relay of my exchange server which filled out the queue on exchange I tightened up the SMTP virtual server. Now I’m facing thousands of NDR trying to be sent to these non-existent accounts. I disabled NDR deliveries under Global settings as well as configured connection, recepient, and sender Filtering under message delivery. I also enabled it under the SMTP Virtual server. I am still receiving errors in the event log. See below:

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            8/26/2005
Time:            12:30:28 PM
User:            N/A
Computer:      CBMAIL
Description:
This is an SMTP protocol log for virtual server ID 1, connection #7591. The client at "59.104.179.206" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo ms87.url.com.tw>".  This will probably cause the connection to fail.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            8/26/2005
Time:            12:29:44 PM
User:            N/A
Computer:      CBMAIL
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #7590. The remote host "210.17.38.21", responded to the SMTP command "rcpt" with "550 User ([email protected]) unknown.  ". The full command sent was "RCPT TO:  ".  This will probably cause the connection to fail.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            8/26/2005
Time:            12:30:40 PM
User:            N/A
Computer:      CBMAIL
Description:
This is an SMTP protocol log for virtual server ID 1, connection #7592. The client at "218.34.227.114" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for [email protected].tw  ". The full command sent was "rcpt TO:<[email protected].com.tw>".  This will probably cause the connection to fail.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            8/26/2005
Time:            12:30:49 PM
User:            N/A
Computer:      CBMAIL
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #7593. The remote host "67.15.77.192", responded to the SMTP command "rcpt" with "550-(collinsbarrow.net) [216.123.211.107] is currently not permitted to relay  550-through this server. Perhaps you have not logged into the pop/imap server  550-in the last 30 minutes or do not have SMTP Authentication turned on in your  550 email client.  ". The full command sent was "RCPT TO:  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            8/26/2005
Time:            12:30:50 PM
User:            N/A
Computer:      CBMAIL
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #7593. The remote host "67.15.77.192", responded to the SMTP command "rcpt" with "550-(collinsbarrow.net) [216.123.211.107] is currently not permitted to relay  550-through this server. Perhaps you have not logged into the pop/imap server  550-in the last 30 minutes or do not have SMTP Authentication turned on in your  550 email client.  ". The full command sent was "RCPT TO:  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      smtpsvc
Event Category:      None
Event ID:      2013
Date:            8/26/2005
Time:            12:18:07 PM
User:            N/A
Computer:      CBMAIL
Description:
SMTP could not connect to any DNS server. Either none are configured, or all are down.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7c 26 00 00               |&..    


Event Type:      Warning
Event Source:      smtpsvc
Event Category:      None
Event ID:      2012
Date:            8/26/2005
Time:            12:18:07 PM
User:            N/A
Computer:      CBMAIL
Description:
SMTP could not connect to the DNS server '172.16.2.10'. The protocol used was 'UDP'. It may be down or inaccessible.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d5 04 00 00               Õ...    


2. Also, when email is being sent (even internally) it sits in the Outbox for about 30 seconds, before being sent to the receipt.


I have spent the past three days trying to keep up, very exhausted; any help would be greatly appreciated!!!

Thank in advance.

Bill

Answer : Exchange 2003 Server Mail/ Spam issues

The queues can take three or four goes before they are totally clear. I have taken 5 or 6 hours to clean them in the past.
It doesn't help that ESM is notorious for not showing "everything" when the queues are particularly large.

The only way to really tell is to disconnect the server from the Internet and see if the queues continue to build.

The other thing it could be is a compromised account. They usually target the administrator account as it doesn't lock out while being attacked. If you haven't already, change the password on the administrator account. If this server is a member server (ie not a domain controller) then change both the domain administrator and the local administrator password.

Simon.