Exchange SMTP server Jammed

Wed, 2009-10-21 17:17 by mydatavault · Forum/category:

We have come across an issue on our Exchange Server. (windows 2003 SBS - Exchange 2003)
the SMTP server has Thousands of connections, with tens of thousands of messages all to, and some of the headers just have random chinese writing in them.

Here are the steps we have done already

Reciepient Filtering enabled on server and SMTP filter enabled

Test: send an e-mail to a non exsistant user, and get an immediate bounce from my mail server stating it cannot send... so that is setup and is working.

Not an open relay

Test: unable to telnet into port 25.
verified all settings in SMTP relay are set accordingly.

Cleaned up SMTP queues, verified they were completely empty before restarting the SMTP server... once the SMTP server is started, then the queue starts to fill back up with garbage mail.

Stopped SMTP service again, browsed to

c:\program files\exchsrvr\mailroot\vsi 1\queue

Brute Force deleted all the messages in the queue, both good and bad.

Restarted the SMTP service.

Again the SMTP server beings to flood with invalid emails and smtp connections.
Most SMTP connections are from *.tw domains (appears to be from taiwan) and when I search messages from within those smtp connections the results are garbage, invliad characters, and some from postmaster... still...

I need some assistance with this, and am hoping someone else has come across this issue.

Incoming mails?

Wed, 2009-10-21 19:18 by admin

You didn't state clearly whether the mails are incoming or outgoing, but it sounds a bit as if they are incoming. Also, what is the content of the mails? Are they all bounces?

If so, then some spammer has used your email address as the sender's address for a large number of spam mails, most of which are now returning to your server as bounces. Please check whether that matches the situation.

If so, then you can only wait until the wave recedes. At some time during the next few days your server will have enough power to process all incoming mails. This depends on the performance of your mail server.

As soon as that happens, your server will begin to work normally again.

Other possible explanations are that somebody is running a DoS (Denial of Service) attack against your server from a botnet or, even less likely, that the mails are outgoing and your server is infected with a prolific spam source.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.