When was the last time you deleted the all of the emails in the queue directory, to see how many you are actually getting a day? Do you actually get 1500 new emails in the queue a day? Are the address that the spammer is sending to, internal addresses of your users, or external ones, or both?
If the messages are in the queue directory, doesn't that may mean that they are being caught there and not being relayed? In which case you can edit the registry to limit the number of messages that the queue can hold (Q258748). This may also help your processor utilization, because it will quit trying to send these caught emails. Just ideas to look into. Doug -----Original Message----- From: Jesse Rink [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 9:09 AM To: MS-Exchange Admin Issues Subject: RE: My IIS SMTP is being used as a relay - need help stopping this Heh, yeah... I guess so. Anyway, if you can lend a hand, please let me know. This is very frustrating. My queue is getting TONS of messages per minute from these spammers and I need to get it fixed as it's using up to about 30% of our incoming T1 bandwidth. > Well, then I must modify my band camp scenario... : > > > Kevinm M WLKMMAS, UCC+WCA, CKWSE > > > -----Original Message----- > From: Jesse Rink [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 21, 2001 7:01 AM > To: MS-Exchange Admin Issues > Subject: RE: My IIS SMTP is being used as a relay - need help stopping > this > > > 3 reasons why I know (in order of finding them out) > > 1. The amount of incoming traffic on our T1 increased about 40x as of > yesterday. 2. The # of messages in the IIS SMTP relay /queue directory > is constantly around 1500 messages and are FROM: a domain that is not my > domain (some dude sending hotmail.com messages about a porn site). 3. I > went to www.abuse.net and used their smtp relay abuse test and the > results showed that my server could be used as a relay. > > :) or should I say, :( heh.. Need help figuring out what to change in > IIS SMTP now.. Thanks! > > > > How do you know you are being used as a relay? > > > > Kevinm M WLKMMAS, UCC+WCA, CKWSE > > > > > > -----Original Message----- > > From: Jesse Rink [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 21, 2001 6:35 AM > > To: MS-Exchange Admin Issues > > Subject: My IIS SMTP is being used as a relay - need help stopping > this > > > > > > Well, after making sure my IIS 4.0 SMTP relay server was not infected > > by the NIMDA virus and applying all the MS01-044 IIS cumulative > > security bulletin, I am still being used as a relay point. > > > > The most confusing thing is: I can't understand how they are doing it > > because when I telnet into the IIS SMTP relay from HOME, it DOESN'T > > allow me to relay. The following shows up: > > > > 220-w-smtp01.whitnall.com Microsoft SMTP MAIL ready at Wed, 21 Nov > > 2001 08:16:19 -0600 Version: 5.5.1877.197.19 > > 220 ESMTP spoken here > > > > At this point I try and type "Helo me", "Mail From:", or other > > commands, and they ALL fail with either a) a 550 error, b) no > > response. > > > > If on the other hand, I telnet into the SMTP relay from a PC here on > > the LAN I can issue "Helo me", "Mail From:" or other commands and use > > it as a relay without problem. > > > > What I'm looking for is someone running IIS SMTP services to help me > > out here. My IIS SMTP relay is in my DMZ Interface and my (1) > > Exchange server is on the Inside Interface of the firewall. I'm > > worried that our domain will start getting banned or black listed (I > > heard this happens) because we are being used as a relay point. This > > is the 2nd day it's been occuring and I need to get this fixed soon. > > > > If you can help, please let me know. Thanks. > > > > Jesse Rink > > [EMAIL PROTECTED] > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
