jerrylMemberJul 29, 2011 at 2:21 pm #155682
We are running SBS2003 (Exchange 2003) all up to date. We got hit with a SPAM attack starting last Friday (7-22) at 7:21 AM. It continued through the weekend and I finally got it stopped (I believe) on Tuesday afternoon. Part of it was due to NDRs being allowed. The check box was set even though they had been disallowed since a large NDR attack several years ago. That was easy to fix, clear the check box, thus dis-allowing NDRs. I suspect the large # of NDRs was due to the following, bigger problem.
First noticed that our outgoing mail was not being processed because the outbound SMTP queues were filling up with SPAM. We are NOT setup as an open relay but allow authentication, as is typical and required for ActiveSync. On Tuesday 7-26, I required everyone to change their passwords and several people had “password” as their password. I received a number of Unsuccessful Security Audits in the Event log for a particular user who had just changed his password from “password” after he had left for the day. Since then, all the SPAM msgs that are being processed have “submitted date/times” between 7/21/11 7:21 AM and 7/26/11 12:34 PM. This tells me that the attack has been stopped from outside the building.
Since then, I have been trying to clear the outbound SMTP queues but they continue to fill. I now have upwards of 38,000 queues with a multitude of SPAM messages in each one. I am using Server Management to monitor and clear them. However, this was taking an awful long time, so I obtained “aqadmcli.exe”, which is a good tool to clear the queues from a command line. I then automated this with a script file that runs every 10 minutes. I am still in the process of editing the script file to add more domain names to the “delmsg” commands. It appears that wildcards will work so I can do a “delmsg z*.com,flags=all” to cut down on the typing, but I’m not sure. My question is this:
When I stop SMTP service for any reason and restart, it seems like the queues fill up again with the same SPAM msgs, but I can’t tell for sure since most of the spam msgs are from 2 or 3 senders (spoofed I’m sure) with the same text. An example is this:
I had tens of thousands of msgs originally destined for “yahoo.com”. With the script running every 10 minutes, “yahoo.com” queue was pretty much cleared in a few hours. Then when I stopped/restarted SMTP, yahoo.com queue starts to rapidly fill again. I have verified that the SPAM traffic filling up the queues is NOT coming from outside the building anymore by disconnecting all network cables.
My thinking is that the SPAM is being processed into the outbound queues from a file somewhere (pre-routing queue?) and that by stopping/restarting SMTP service it is starting over again to populate the outbound queues from this “file somewhere” that holds all the inbound SMTP traffic prior to routing.
I have a virus that is generating the traffic internally. This seems unlikely as I’ve done multiple scans with ANti-malware and TrendMicro (clean) and a “search” of the hard drives for phrases in the SPAM or the Senders shows up only in the queues.
I am going to try and let the automated script run over the weekend without interruption to see if the queues just need to be flushed
Anybody have any more insight into this or can comment on my approach or tell me where to look for a file that is used to hold the msgs prior to routing? Is it plausible that by stopping/restarting SMTP, I’m interrupting the flush and need to let it finish? Any help or comments appreciated.
Oh and top of that our Email Server RAID drives crashed Wed nite and wouldn’t rebuild. That took a day away (all Thursday) away from trying to clean up the queues. I’m heading home, it’s been a long week.
On the plus side, I’ve learned more about Exchange 2003 this week than I have in the 4-5 yrs we’ve had it up and running. When things are running smooth, there’s no need to jump in and monkey with stuff.
You must be logged in to reply to this topic.