I'm young and new to the scene, I have been working on a family member's business server. It is an old server and has a few problems but has
a big main one I'm trying to fix now.
I'll try be as clean and concise as I can be in explaining what I need.
The Server Details:
The server is an old box with limited hardware: 50Gb C: Drive With only 1.3Gb free
Total Combined Hard Drive Space : 270Gb with 31Gb free
Only Has 4Gb RAM memory
Has Intel Xeon Processor @ 2.00Ghz
The server also has old software / operating sys: Running Small Business Server 2003 Service Pack 2
Running Exchange Server 2003
The Problem:
The Server was recently black listed by our ISP. Upon Calling them they provided no support and said that it should be running fine. All configuration pointed to their connection being the problem so we told the SMTP Virtual Server to create its own connectors using DNS. This fixed our outgoing email problems. However now I see that we have a infected computer that may be sending out mass email.
This is where I start losing track of things about the situation. What happens is in the Exchange server queue we have many connectors to domains that don't exist and the message tracking shows mass emails being sent from our exchange out. Presumably a virus or computer is trying to send spam or send out virus' to other people through our exchange server.
At first it was using a gmail account, I blocked the email account's privilege to send out through the server but then it came back using a different email. Now our queue is clogged more. not just with failed email attempts but all the NDR can't be sent through to a real domain so it sits in the queue too. This has / will lead in blacklisting on our IP as well as our server being clogged up.
I did a test on Mxtoolbox for our mail server and it said that there wasn't an open relay as I thought initially.
Older posts haven't provided instruction that i can't follow, understand or adapt to this server / my problem.
Solution?:
- A solution to stop our exchange sending out these mass emails / stop the virus without manually blocking all emails from sending out email other than ones I specify otherwise there will be problems opening new accounts later.
- A small explanation As to whats happened so I understand it and can stop it / have knowledge for the future.
- And a quick way to remove all the queue when I know no legitimate mail is being sent as there is too many to delete when using the find messages and delete with no NDR inside queues.
- Hopefully these things will help me and others in the future to understand and fix what has happened.
Final Notes:
Any help at all will be greatly appreciated and any suggestions on where to look / things to try or do.
I understand I'm not the best admin for mail servers, however i'm doing it for free as we don't have money to spend on IT support but really need the services for the business and I'm doing the best I can.
If Any more detail or information is needed please don't hesitate to ask.
Thanks,
Jesse Hayward.
Answer
After further research and some common sense i managed to find a solution.
If this is happening to you, Go to the system's event viewer. Then filter your events with MSExchangeTransport. Then with authentication. (This needs to have been previously turned on through MSExchange settings). Once done Look to see what user account is being used to authenticate the emails being sent when the spam is going through.
Chances are that this account has an easily guessed password or has let through a virus that has stolen its password. Therefore Disabling the account if necessary or changing the password should hopefully stop the problem from continuing.
No comments:
Post a Comment