Error - View Single Post - Exchange 2003 SMTP Queue filling with thousands of spam emails even when not on netwo

**Iphone** · 28-Mar-2007, 01:45 AM

The messages could appear to be still being generated, but I doubt whether they are.
ESM is notorious for not showing the true extent of the queues. A spammer will usually drop and run, and they will drop many thousands of messages in a single hit. Exchange ESM cannot show you all of those messages in one go, so it looks like they continue to appear even with the machine disconnected.

Spam doesn't generate on its own. The spammer is usually created elsewhere and is simply sent through the compromised machine. To get something on to the machine, the server would have to be totally compromised - and the level of compromise depends on how the server was exposed to the internet.

As for the eml messages that you may see with old dates, if the server has been abused before what can often happen is that something else gets hold of the messages and stops Exchange from flushing them out. AV is the common culprit. I have also seen Exchange do odd things when it is under a very heavy load and you may have seen some signs of that.

As I wrote in my article, you usually have to repeat the process for cleaning the queues a number of times; my record is 15 over a six hour period. Only once you can leave the server for a couple of hours disconnected from the internet with clean queues do you know that the server is clean.

I doubt if the source of the messages is a machine on your network. A spammer isn't interested in finding a server to bounce the messages through. If a machine on your network has been compromised your Exchange server wouldn't know about it, as the messages would be going straight out.
Think about it for a moment - the spammer has to a, compromise the machine, b, find the Exchange server, c, create the messages in MAPI not SMTP to get Exchange to process the messages. Alternatively, the spammer just installs an SMTP engine on the machine and sends the spam out. I think I know which one is most likely.

Have you worked out how the email messages got on to your server? If they are postmaster@ messages then it is NDR spam, if not, then it was most likely either an open relay or an authenticated relay. If it was authenticated relay you need to change your administrator password. Don't bother with any other accounts, as the administrator account is the only target for this type of attack (unless a user has been very stupid with their username and password). However you may want to force all users to change their passwords or call in for a new password as a lesson for anyone who might be tempted to hand out their password to anyone else.

28-Mar-2007, 01:45 AM	#2 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Re: Exchange 2003 SMTP Queue filling with thousands of spam emails even when not on n The messages could appear to be still being generated, but I doubt whether they are. ESM is notorious for not showing the true extent of the queues. A spammer will usually drop and run, and they will drop many thousands of messages in a single hit. Exchange ESM cannot show you all of those messages in one go, so it looks like they continue to appear even with the machine disconnected. Spam doesn't generate on its own. The spammer is usually created elsewhere and is simply sent through the compromised machine. To get something on to the machine, the server would have to be totally compromised - and the level of compromise depends on how the server was exposed to the internet. As for the eml messages that you may see with old dates, if the server has been abused before what can often happen is that something else gets hold of the messages and stops Exchange from flushing them out. AV is the common culprit. I have also seen Exchange do odd things when it is under a very heavy load and you may have seen some signs of that. As I wrote in my article, you usually have to repeat the process for cleaning the queues a number of times; my record is 15 over a six hour period. Only once you can leave the server for a couple of hours disconnected from the internet with clean queues do you know that the server is clean. I doubt if the source of the messages is a machine on your network. A spammer isn't interested in finding a server to bounce the messages through. If a machine on your network has been compromised your Exchange server wouldn't know about it, as the messages would be going straight out. Think about it for a moment - the spammer has to a, compromise the machine, b, find the Exchange server, c, create the messages in MAPI not SMTP to get Exchange to process the messages. Alternatively, the spammer just installs an SMTP engine on the machine and sends the spam out. I think I know which one is most likely. Have you worked out how the email messages got on to your server? If they are postmaster@ messages then it is NDR spam, if not, then it was most likely either an open relay or an authenticated relay. If it was authenticated relay you need to change your administrator password. Don't bother with any other accounts, as the administrator account is the only target for this type of attack (unless a user has been very stupid with their username and password). However you may want to force all users to change their passwords or call in for a new password as a lesson for anyone who might be tempted to hand out their password to anyone else.