|
|
|
date: Mon, 12 May 2008 09:09:00 -0700,
group: microsoft.public.exchange.admin
back
Runaway SMPT server
I have E2003 on SBS2003 server. The SMTP server is causing severe network
traffic issues. For some reason, when SMTP is running, Internet access slows
to a crawl - the server and any PC's on the network ping the 'net at anywhere
from 600 - 1100 ms. However, when I stop the SMTP service or the SMTP server
in Exchange System Manager, the ping goes to about 75 ms and Internet access
is fast again.
The problem occurs even when the SMTP virtual server is Paused; the problem
disappears only when the SMTP virtual server is Stopped.
I first became aware of this last week. I then created a new SMTP virtual
server, shut down the first one, and started using the second one. Every time
I stopped the second one & started the first one, the problem began again.
The STMP service is not running high - the only indication I have is the
network impact. The only connection allowed is from our AV/anti-spam
filtering service. No relays are allowed, even from inside the network.
Now this morning, the problem is occurring even with the new one.
How can I trace the problem to its root?
date: Mon, 12 May 2008 09:09:00 -0700
author: Brian
Re: Runaway SMPT server
Brian,
In your queues - is there only normal outbound and inbound traffic?
From the symptoms that you are giving, open relaying or relaying through a
compromised user account sounds dead on. Have you reviewed the security log
to look for authentications via legitimate user accounts that are odd (based
on time logging in)?
--
Chris S
MCSE, MCITP:Messaging, CISSP
"Brian" wrote:
> I already verify that there are no relays enabled on the virtual server. Are
> "Current Sessions" the same as "active connections"? I see no "Current
> Sessions" here:
>
> First Org -> Server -> <ServerName> -> Protcols -> SMTP -> Default SMTP
> Virtual Server -> Current Sessions
>
> I enabled message tracking & SMTP logging. The only activity I see in both
> places; that is, SMTP logging shows a group of entries every time a message
> goes out, and I can identify it in the message tracking. Neither one is
> continuous, nor are the subjects nor volume abnormal.
>
> "Oliver Moazzezi [MVP]" wrote:
>
> > When you check the active connections listed on the SMTP virtual server,
> > what does it say.
> >
> > You mention pausing it, this will stop new connection but will continue
> > existing ones - making me think you are open relay or some account is
> > compromised and is constantly sending mail.
> >
> > Oliver
> >
> >
> >
> >
date: Mon, 12 May 2008 11:01:05 -0700
author: Christopher Smith
Re: Runaway SMPT server
This is really, really weird.
I went in to check the queues after your post. There are about 15
domain-based queues (i.e. not including the default Local Delivery, etc.
queues). All the names are logical for the business, and there were about
seven or eight that appeared to have the same two messages stuck in the
queue. These are ones for which I saw system admin failure messages come
through earlier today. I think this is because a user sent an e-mail while I
had the SMTP connector stopped as I began testing this problem earlier
morning. It is the same message that he sent to several recipients at once.
So, I froze all queues - no effect on network speed.
I unfroze all queues - also no effect.
I did a Force Connection on one of them - still no effect
However, I hit F5 to refresh about one minute later, all the queues went to
0 and my network ping went from 1000 ms to 75. The problem appears to have
resolved itself suddenly.
Go figure!
I suspect this will happen again, though, so any additional diagnostic steps
would be helpful. I will certainly check the queues first next time.
"Christopher Smith" wrote:
> Brian,
>
> In your queues - is there only normal outbound and inbound traffic?
>
> From the symptoms that you are giving, open relaying or relaying through a
> compromised user account sounds dead on. Have you reviewed the security log
> to look for authentications via legitimate user accounts that are odd (based
> on time logging in)?
>
> --
> Chris S
> MCSE, MCITP:Messaging, CISSP
>
>
> "Brian" wrote:
>
> > I already verify that there are no relays enabled on the virtual server. Are
> > "Current Sessions" the same as "active connections"? I see no "Current
> > Sessions" here:
> >
> > First Org -> Server -> <ServerName> -> Protcols -> SMTP -> Default SMTP
> > Virtual Server -> Current Sessions
> >
> > I enabled message tracking & SMTP logging. The only activity I see in both
> > places; that is, SMTP logging shows a group of entries every time a message
> > goes out, and I can identify it in the message tracking. Neither one is
> > continuous, nor are the subjects nor volume abnormal.
> >
> > "Oliver Moazzezi [MVP]" wrote:
> >
> > > When you check the active connections listed on the SMTP virtual server,
> > > what does it say.
> > >
> > > You mention pausing it, this will stop new connection but will continue
> > > existing ones - making me think you are open relay or some account is
> > > compromised and is constantly sending mail.
> > >
> > > Oliver
> > >
> > >
> > >
> > >
date: Mon, 12 May 2008 11:43:02 -0700
author: Brian
Re: Runaway SMPT server
See my other post.
FYI also. I suspected an open relay; however, I verified that no relay was
open, and nothing unusual showed up in the STMP log.
My best guess is that two messages CC'd to several (perhaps five to seven)
recipients got stuck in the queue; however, I do not know now whether that
was the source of the problem or a result of my intial stop of the SMTP
server right when the user attempted to send them.
Since the underlying problem happened three days ago & then again today,
though, I suspect I will see it again, and I will check the queues first next
time.
"Betelgeuse" wrote:
> What do the queues look like?
>
>
>
>
>
>
> "Brian" wrote in message
> news:9F0B97F3-D2C6-488F-86C2-231B6F23B162@microsoft.com...
> >I already verify that there are no relays enabled on the virtual server.
> >Are
> > "Current Sessions" the same as "active connections"? I see no "Current
> > Sessions" here:
> >
> > First Org -> Server -> <ServerName> -> Protcols -> SMTP -> Default SMTP
> > Virtual Server -> Current Sessions
> >
> > I enabled message tracking & SMTP logging. The only activity I see in both
> > places; that is, SMTP logging shows a group of entries every time a
> > message
> > goes out, and I can identify it in the message tracking. Neither one is
> > continuous, nor are the subjects nor volume abnormal.
> >
> > "Oliver Moazzezi [MVP]" wrote:
> >
> >> When you check the active connections listed on the SMTP virtual server,
> >> what does it say.
> >>
> >> You mention pausing it, this will stop new connection but will continue
> >> existing ones - making me think you are open relay or some account is
> >> compromised and is constantly sending mail.
> >>
> >> Oliver
> >>
> >>
> >>
> >>
>
>
>
date: Mon, 12 May 2008 11:59:06 -0700
author: Brian
Re: Runaway SMPT server
Brian,
Glad to hear it. If this helped to solve your problem, please indicate that
this was the answer to your issue. This is helpful to all in the posting
community!
Thanks Brian,
--
Chris S
MCSE, MCITP:Messaging, CISSP
"Brian" wrote:
> This is really, really weird.
>
> I went in to check the queues after your post. There are about 15
> domain-based queues (i.e. not including the default Local Delivery, etc.
> queues). All the names are logical for the business, and there were about
> seven or eight that appeared to have the same two messages stuck in the
> queue. These are ones for which I saw system admin failure messages come
> through earlier today. I think this is because a user sent an e-mail while I
> had the SMTP connector stopped as I began testing this problem earlier
> morning. It is the same message that he sent to several recipients at once.
>
> So, I froze all queues - no effect on network speed.
> I unfroze all queues - also no effect.
> I did a Force Connection on one of them - still no effect
>
> However, I hit F5 to refresh about one minute later, all the queues went to
> 0 and my network ping went from 1000 ms to 75. The problem appears to have
> resolved itself suddenly.
>
> Go figure!
>
> I suspect this will happen again, though, so any additional diagnostic steps
> would be helpful. I will certainly check the queues first next time.
>
> "Christopher Smith" wrote:
>
> > Brian,
> >
> > In your queues - is there only normal outbound and inbound traffic?
> >
> > From the symptoms that you are giving, open relaying or relaying through a
> > compromised user account sounds dead on. Have you reviewed the security log
> > to look for authentications via legitimate user accounts that are odd (based
> > on time logging in)?
> >
> > --
> > Chris S
> > MCSE, MCITP:Messaging, CISSP
> >
> >
> > "Brian" wrote:
> >
> > > I already verify that there are no relays enabled on the virtual server. Are
> > > "Current Sessions" the same as "active connections"? I see no "Current
> > > Sessions" here:
> > >
> > > First Org -> Server -> <ServerName> -> Protcols -> SMTP -> Default SMTP
> > > Virtual Server -> Current Sessions
> > >
> > > I enabled message tracking & SMTP logging. The only activity I see in both
> > > places; that is, SMTP logging shows a group of entries every time a message
> > > goes out, and I can identify it in the message tracking. Neither one is
> > > continuous, nor are the subjects nor volume abnormal.
> > >
> > > "Oliver Moazzezi [MVP]" wrote:
> > >
> > > > When you check the active connections listed on the SMTP virtual server,
> > > > what does it say.
> > > >
> > > > You mention pausing it, this will stop new connection but will continue
> > > > existing ones - making me think you are open relay or some account is
> > > > compromised and is constantly sending mail.
> > > >
> > > > Oliver
> > > >
> > > >
> > > >
> > > >
date: Mon, 12 May 2008 13:23:03 -0700
author: Christopher Smith
Re: Runaway SMPT server
Sorry about the delayed reply. I was just stuck on other projects, and this
happens only at certain times, so it has not stopped operations.
I thought it could be a Comcast (Internet) problem, but it is SMTP-only
related. The problem stops immediately when I click stop on the SMTP service
- even before the Stop progress indicator begins moving across the screen.
The ping speed goes from 90 ms to 750 ms when SMPT is running and back to 90
ms when it is not - but only during the early morning time period.
This is very odd. Facts:
1. It happens only between approximately 7:00 & 9:00 am.
2. Now, at this same time of day (almost every day) a particular user sends
out a batch of e-mails. There are perhaps three messages, each going to about
15 recipients.
3. When I freeze all queues (including those for the messages above), the
problem still exists. When I then look at active connections, I see nothing.
When I refresh the queue list, there are no unfrozen queues. The problem
persists until
Is there any additional level of debugging/logging that I can use that will
help identify the SMTP-related traffic that continues even with all queues
frozen & no new queues appearing?
"Oliver Moazzezi [MVP]" wrote:
> When you check the active connections listed on the SMTP virtual server,
> what does it say.
>
> You mention pausing it, this will stop new connection but will continue
> existing ones - making me think you are open relay or some account is
> compromised and is constantly sending mail.
>
> Oliver
>
>
>
>
date: Sun, 29 Jun 2008 10:01:01 -0700
author: Brian
|
|
