RE: RBLs
That is a good example John. RBLs have grown up though. Some are pretty specific about what they block from geographic source to connection method (ie. dialup) and some are responsive to queries. I have used Spamhaus for years, and I have not had to deal with them either. -Original Message- From: Matteson, John H Jr USA Mr USA 25th SigBN (ITT) [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 8:46 PM To: MS-Exchange Admin Issues Subject: RE: RBLs Hi Micheal: It's been a while since I've had to deal with them directly. Spamhaus is not one of the ones that I have had to deal with in the past. The biggest PITA real time black hole list shut down active operations about 4 years ago, but left their last list in place, making it impossible for incorrectly listed mail servers to get off the list. When I was contracted to Owens-Corning, they started a push to use real time black hole lists, until they suddenly could not receive mail from their operations in China. The service they were using had blocked the ENTIRE Asian region, Japan, China, et.al. To say the least, OC didn't use RTBL's for very long. John H. Matteson, Jr. Systems Administrator/ITT Systems FOB Orgun-E Afghanistan DSN - 318 431 8000 VoSIP - (308) 431 - Iridium - 717.633.3823 A man who thinks of himself as belonging to a particular national group in America has not yet become an American. And the man who goes among you to trade upon your nationality is no worthy son to live under the Stars and Stripes. Woodrow Wilson -Original Message- From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:04 PM To: MS-Exchange Admin Issues Subject: Re: RBLs There are certainly bad DNSBLs out there. I actually dedicated a section of that article to listing which popular ones to be careful of, and why. But, who specifically do you mean by they ? ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: ActiveSync for Phones
Fyi, Just a heads up to anyone else using these guys (http://www.certificatesforexchange.com/). The certs that they issue are NOT compatible with Windows Mobile 6 (at least Cingular 8125, 8550, tilt, and the 3125). There using an intermediate signing server (they sent the intermediate cert with the signed web site cert) and their http://www.valicert.com; is not listed in the device (WM6 ATT Tilt) as a trusted root signer. In OWA it works fine, but on Mobile 6 I get the dreaded Support code 0x80072F0D and viewing the owa page through the mobile device confirms that it is not trusted as it comes up with a warning upon login. If I install there intermediate and root cert on the WM device then it works, but there is no way I'm doing that for all these phones. So YMMV with these guys. Guess Im going to have to pony up and spent quite a bit more for a Thawte cert.. :( This is what they say to do: Importing and Installing Root Certificate on Windows Mobile 5 Devices Starfield's Valicert root certificate is installed on all mobile devices that run Windows Mobile 5.0 AKU 2 or a later incarnation of the operating system. However, devices that run older versions of Windows Mobile 5.0 do not have the Starfield root installed. To check if the Starfield root is installed on your device, please visit the root store on your device: Open the Settings menu. Select System. Select Certificates. Verify that the http://www.valicert.com; is listed in the root store. If the root is included, your device is running Windows Mobile 5 AKU 2 or later. No further action is required. If the root is not included, follow the instructions below to import and install it. To install the root certificate on your Windows Mobile 5 device (might as well install my own free self-signed cert if I have to do this): Download the root certificate to your PC in DER format with a .cer file extension (i.e., valicert_class2_root.cer). The root can be downloaded from the Starfield repository. Copy the downloaded root certificate to your device using ActiveSync. On your mobile device, locate the imported file using File Explorer and click on it. The device will display the following prompt: You are about to install valicert_class2_root.cer certificate issued by http://www.valicert.com/. Do you want to continue? (If you saved the root under a different name, that file name will show up in the prompt.) Accept the prompt to install the root certificate on your device. -Original Message- From: Don Andrews [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 3:08 PM To: MS-Exchange Admin Issues Subject: RE: ActiveSync for Phones ..chunks. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 2:37 PM To: MS-Exchange Admin Issues Subject: RE: ActiveSync for Phones Good move. Roll your own certs blow. -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 2:03 PM To: MS-Exchange Admin Issues Subject: RE: ActiveSync for Phones Thanks. I've purchased and installed a new cert from Starfield and will be testing the phones later. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 I worship the quicksand he walks in. -Art Buchwald -Original Message- From: Simon Butler [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 08, 2008 8:25 PM To: MS-Exchange Admin Issues Subject: RE: ActiveSync for Phones If it is a self signed certificate then unless you have imported some kind of root certificate on to the device, it isn't going to work. The certificate will need to be imported in to each device. However the question has to be why you are using a self generated certificate anyway? When you can get SSL certificates that are trusted by Windows Mobile for US$$20/year (see my sig) it doesn't make any sense to use self generated certificates. The only reason I can think of is that it provides are barrier for the user to get over to use their own device, but if you are using the same certificate for OWA then it is a very low hurdle that a tech savvy user will easily get around. Simple test: browse to https://host.domain.com/oma (where host.domain.com is the name on the SSL certificate) using Pocket IE from the device. If you get an SSL prompt then you have a problem with the certificate - trust, name etc. Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset.co.uk w: www.amset.info Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? Go to http://www.certificatesforexchange.com/ for certificates for just $20 a year. Now includes SAN certificates for Exchange 2007 for just $59 a year. -Original Message- From: Greg Olson [mailto:[EMAIL PROTECTED] Sent: 09 January 2008 00:04 To: MS-Exchange Admin Issues Subject: RE: ActiveSync for Phones Missed the part about it being self-signed. Ok, is this cert
RE: Snow Resort in Fort Worth, TX?
It's called Snowflex: http://en.wikipedia.org/wiki/Snowflex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 7:03 PM To: MS-Exchange Admin Issues Subject: RE: Snow Resort in Fort Worth, TX? Where's the details on the composition of the snow that doesn't melt? From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 7:12 AM To: MS-Exchange Admin Issues Subject: OT: Snow Resort in Fort Worth, TX? A man in the UK invented a snow/ice type substance that doesn't melt! There are plans to have a huge snow resort in the Alliance area. The website below has all of the details! http://www.bearfireresorts.com/ Hey Kim, can you see snow skiing here in August??? -- Sherry Abercrombie Reality is merely an illusion, albeit a persistent one. -Albert Einstein __ The information contained in this E-mail message, including any attached files transmitted, is confidential and may be legally privileged. It is intended only for the sole use of the individual(s) named above. If you are the intended recipient, be aware that your use of any confidential or personal information may be restricted by state and federal privacy laws. If you, the reader of this message, are not the intended recipient, you are hereby notified that you should not further disseminate, distribute or forward this E-mail message. If you have received this E-mail in error, please notify the sender and delete the material from your computer system. This message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments in any jurisdiction. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Snow Resort in Fort Worth, TX?
Snowflex it is. If you want to see it in action, watch this: http://www.youtube.com/watch?v=OKU_CBeWQyY On Jan 21, 2008 7:48 AM, David Mazzaccaro [EMAIL PROTECTED] wrote: It's called Snowflex: http://en.wikipedia.org/wiki/Snowflex -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *Sent:* Friday, January 18, 2008 7:03 PM *To:* MS-Exchange Admin Issues *Subject:* RE: Snow Resort in Fort Worth, TX? Where's the details on the composition of the snow that doesn't melt? -- *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] *Sent:* Friday, January 18, 2008 7:12 AM *To:* MS-Exchange Admin Issues *Subject:* OT: Snow Resort in Fort Worth, TX? A man in the UK invented a snow/ice type substance that doesn't melt! There are plans to have a huge snow resort in the Alliance area. The website below has all of the details! http://www.bearfireresorts.com/ Hey Kim, can you see snow skiing here in August??? -- Sherry Abercrombie Reality is merely an illusion, albeit a persistent one. -Albert Einstein __ The information contained in this E-mail message, including any attached files transmitted, is confidential and may be legally privileged. It is intended only for the sole use of the individual(s) named above. If you are the intended recipient, be aware that your use of any confidential or personal information may be restricted by state and federal privacy laws. If you, the reader of this message, are not the intended recipient, you are hereby notified that you should not further disseminate, distribute or forward this E-mail message. If you have received this E-mail in error, please notify the sender and delete the material from your computer system. This message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments in any jurisdiction. -- Sherry Abercrombie Reality is merely an illusion, albeit a persistent one. -Albert Einstein ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Virus Hunt (PLEASE HELP!!!!!!!!)
Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
My thinking is that the from is probably spoofed, so changing that user's password isn't going to accomplish anything. On Jan 21, 2008 10:36 AM, Clayton Doige [EMAIL PROTECTED] wrote: None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Virus Hunt (PLEASE HELP!!!!!!!!)
The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. From: Clayton Doige [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 15:36 To: MS-Exchange Admin Issues Subject: Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
Nice work. Thanks! On Jan 21, 2008 10:53 AM, Simon Butler [EMAIL PROTECTED] wrote: The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. From: Clayton Doige [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 15:36 To: MS-Exchange Admin Issues Subject: Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Virus Hunt (PLEASE HELP!!!!!!!!)
They'll only be in sent items if Outlook was leveraged to send them. Most viruses come with their own smtp client. Sent from my GoodLink synchronized handheld (www.good.com) -Original Message- From: Simon Butler [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 09:54 AM Central Standard Time To: MS-Exchange Admin Issues Subject:RE: Virus Hunt (PLEASE HELP) The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. From: Clayton Doige [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 15:36 To: MS-Exchange Admin Issues Subject: Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the
RE: Virus Hunt (PLEASE HELP!!!!!!!!)
I'd start by unplugging the Exchange server and see if the traffic stops. If if does you've isolated the problem If it does, then Id start unplugging sections of the network and see when it stops. A bit severe, but you will get an idea of where the problem lies. John From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 16:01 To: MS-Exchange Admin Issues Subject: RE: Virus Hunt (PLEASE HELP) They'll only be in sent items if Outlook was leveraged to send them. Most viruses come with their own smtp client. Sent from my GoodLink synchronized handheld (www.good.com) -Original Message- From: Simon Butler [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 09:54 AM Central Standard Time To: MS-Exchange Admin Issues Subject:RE: Virus Hunt (PLEASE HELP) The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. From: Clayton Doige [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 15:36 To: MS-Exchange Admin Issues Subject: Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ** Note: The information contained in this message may be
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
I guess I might start by cranking up logging first. On Jan 21, 2008 11:11 AM, Ellis, John P. [EMAIL PROTECTED] wrote: I'd start by unplugging the Exchange server and see if the traffic stops. If if does you've isolated the problem If it does, then Id start unplugging sections of the network and see when it stops. A bit severe, but you will get an idea of where the problem lies. John From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 16:01 To: MS-Exchange Admin Issues Subject: RE: Virus Hunt (PLEASE HELP) They'll only be in sent items if Outlook was leveraged to send them. Most viruses come with their own smtp client. Sent from my GoodLink synchronized handheld (www.good.com) -Original Message- From: Simon Butler [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 09:54 AM Central Standard Time To: MS-Exchange Admin Issues Subject:RE: Virus Hunt (PLEASE HELP) The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. From: Clayton Doige [mailto:[EMAIL PROTECTED] Sent: 21 January 2008 15:36 To: MS-Exchange Admin Issues Subject: Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.comhttp://alsipius.com/ -- Regards, Clayton [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
It is the admin account, there goes my attempt at being discreet lol, Found out that Exchange 2003 SP2 is not on here, so trying that, and have disabled authenticated relaying as per your suggestions. Thanks On 21/01/2008, Simon Butler [EMAIL PROTECTED] wrote: The first thing I would do is disable authenticated relaying. It may cause some problems for some users, but it needs to be done. Very unusual for a specific user account to be targeted, the usual target is the administrator account. Therefore what might be happening is that a user account is being abused but the authentication prompt is the administrator account. I would not expect the messages to show in the Sent Items, almost certainly the messages are coming from outside and are being pushed through SMTP. Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp Also remember that ESM is notorious for not showing the true extent of the queues, so while you may think you have cleaned the server up, the messages can continue to flow. Simon. -- *From:* Clayton Doige [mailto:[EMAIL PROTECTED] *Sent:* 21 January 2008 15:36 *To:* MS-Exchange Admin Issues *Subject:* Re: Virus Hunt (PLEASE HELP) None of the processes, services, or registry entries that Hijack This outputs looks untowards on the server. Can the tool be used centrally to analyse numerous hosts, or does this need to be done on a host by host basis. Really what I want to do is see where these messages are originating as they are not in sent items for this users mailbox. Message Tracking has limited output, and I am having a devil of a time trying to track down the source for these messages. BTW, OOF etc are disabled on this server. Thanks On 21/01/2008, Clayton Doige [EMAIL PROTECTED] wrote: We have swept everything on the LAN, nothing revealed from that. I have downloaded HiJakc This and am just running the thing now, and looking at the results. thanks :-) On 21/01/2008, Candee Vaglica [EMAIL PROTECTED] wrote: Hi, Clayton. I second the Hijack this recommendation. Are you saying you swept the server or the user's workstation? I would pull the workstation off the LAN first thing. On Jan 21, 2008 10:03 AM, Clayton Doige [EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Error when removing last Exchange 5.5 server
I'm having a similar problem trying to remove an unused Exchange 2000 server after a migration to Clustered Exchange 2003. A MS solution was to use ADSI Edit to find the field that holds these mailboxes for each information store, and remove the non-standard ones. Unfortunately I there was nothing there for me to remove. Maybe this will help you? http://support.microsoft.com/?kbid=839356 from Note You may receive the following error message when you try to remove Exchange Server: The component Microsoft Exchange Messaging and Collaboration Services cannot be assigned the action Remove because: - One or more users currently use a mailbox store on this server. These users must be moved to a mailbox store on a different server or be mail disabled before uninstalling this server. -Original Message- From: Jim Dandy [mailto:[EMAIL PROTECTED] Sent: 04 January 2008 00:50 To: MS-Exchange Admin Issues Subject: Error when removing last Exchange 5.5 server I'm about ready to remove my last Exchange 5.5 server. When I go to delete the server it gives me a message There are 3 mailboxes and gateways on this server. All these gateways will be deleted. All mailboxes and their contents will also be deleted. You can use the move mailbox command on the tools menu to move mailboxes to a different server. Since this step is not reversible, I'm a bit frightened to move forward. Two mailboxes that are left are Microsoft Schedule+ Free/Busy Connector (EXCHANGE) System Attendant I'm not sure what the third mailbox or gateway is that it's talking about. The only connector that exists in the 2003 Exchange System Manager is Internet Mail SMTP connector and that is on a 2003 server. The Exchange 5.5 Administrator doesn't show any connectors other than Internet Mail SMTP connector either. Do I need to migrate these two mailboxes? What is the third mailbox or gateway that I will be deleting when I delete the 5.5 server? Will I experience negative results if I proceed with removing the 5.5 server? Thanks for your help. Curt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
I'm looking at implementing CCR in a couple of my datacenters with SCR targets geographically. I don't have any first knowledge with our data yet, so I can't answer your specific size questions. I just know when I was going through my training last fall, that the instructors were very adamant about using caution when implementing CCR's across datacenters. That's part of the reason we are looking at using SCR for our geographic failover instead. We have a 90Mb link with 20ms latency between these particular datacenters and we don't want to an automatic failover in the event our provider bounces a router or someone decides to dig into some fiber when installing a swimming pool. From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 10:46 PM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
30K+ users, 2 GB hard limits, individual databases limited to 100 GB. Geodispersion is coming, using Windows Server 2008. Backup is LCR to cheap disk. I'm seeing more folks moving away from clustering with LCR and SCR. Good riddance, in my opinion. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 1:46 AM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
... = unless they involve Blackstone and TVK Shook http://www.linkedin.com/in/andyshook From: Don Ely [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 11:33 AM To: MS-Exchange Admin Issues Subject: Re: Anyone using CCR in production? That's my intention as I prepare to move to 2007. I hate managing clusters... On Jan 21, 2008 8:30 AM, Michael B. Smith [EMAIL PROTECTED] wrote: 30K+ users, 2 GB hard limits, individual databases limited to 100 GB. Geodispersion is coming, using Windows Server 2008. Backup is LCR to cheap disk. I'm seeing more folks moving away from clustering with LCR and SCR. Good riddance, in my opinion. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 1:46 AM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: problem with messagelabs
Hi, Thanks for the comments. I just forwarded the messages as received from Messaglabs, i didn't think before sending, that the whole spam would be a problem, but you're right On Jan 18, 2008 11:37 AM, Jason Gurtz [EMAIL PROTECTED] wrote: I have a problem sending messages to a site (our HQ) that is protected by Messagelabs. In fact the problem is that they are throttling our connections because they say that we re sending spam. [...] Received: from desktop3 ([190.40.182.39]) by mail.MY_DOMAIN.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 7 Jan 2008 19:42:52 -0500 Received: from 60.52.18.165 (HELO localhost.localdomain) (63.51.17.146) by 64.53.15.110 with SMTP; Mon, 7 Jan 2008 19:42:35 +0500 ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
Yes. 30 100GB Not really works great Yes they are separated by 70 miles. I am using SCR to back it all up. From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 10:46 PM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
I've done 2 projects recently where the customers had limited clustering experience but they'd been sold big SANs and wanted to use them for SCC apparently the SAN sales guys are way better than I am because both customers ended up with SCC in the end. From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 8:30 AM To: MS-Exchange Admin Issues Subject: RE: Anyone using CCR in production? 30K+ users, 2 GB hard limits, individual databases limited to 100 GB. Geodispersion is coming, using Windows Server 2008. Backup is LCR to cheap disk. I'm seeing more folks moving away from clustering with LCR and SCR. Good riddance, in my opinion. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 1:46 AM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Virus Hunt (PLEASE HELP!!!!!!!!)
I'll assume for the moment that you're NATing everything through a single IP address, but will make some suggestions if that isn't the case. A properly deployed NTOP is your friend in this case. It can be set (using the BPF filters) to monitor only port 25, and only outbound if you want, and you'll see who's talking. Of course, if it *is* being routed through your Exchange box, then that's what'll show, in which case you'll need to examine your SMTP logs on that machine. Two thing I would recommend: 1) Turn off port 25 outbound, except for your Exchange server (and perhaps your server monitoring software, if it sends SMTP messages to your cell phone). This might stop the problem outright. 2) Turn off SMTP relay through your Exchange server, period. Let it accept SMTP messages *only* from trusted internal hosts, such as server-side software that send notifications to your or your sysadmin team. All others only get MAPI. This cuts down on the crap that gets relayed outbound, though it won't stop something that automates Outlook. Kurt On Jan 21, 2008 7:03 AM, Clayton Doige [EMAIL PROTECTED] wrote: Dear all, I have a server apparently spewing out a hoarde of SMTP messages, at least according to the Message Tracking system, which indicates the emails originate from a specific email address. This is Exchange 2003 by the way: I have checked and the system is not a relay, and only authenticated users are allowed to send. I blocked access for this particular user account to the smtp connector, and changed the password on the user account. When looking in Message Tracking subsequent to making the changes above, the messages are noted, and the last action for each message is Submitted to Categorizer. According to the ISP mails are still coming out, and there is no record of an SMTP server on the packets. netstat outputs also seem like everything is normal, although the output is extensive. The box has been swept by it's local Trend SMEX, and Office Scan, plus two other online scanners. WireShark is not telling me anything exciting, and none of the processes running in task manager seem out of the norm. If this was another authenticated machine on the LAN I would have expected the password change to have put an end to that. Has anyone seen similar, and if so could you kindly point this already bald person in the right direction? Many thanks in advance -- Regards, Clayton [EMAIL PROTECTED] http://alsipius.com ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone using CCR in production?
We implemented CCR in October of last year. We have about 2000 mailboxes, about 225 users per DB, max limit is 250MB per mailbox (98% of our users anyway), each DB ranging from 10 to 50 Gig in size...with the 50 Gig DB being the exception (don't ask). Most DB's are 10-20 Gig. Since our network backup solution isn't compatible with Ex 2007 we are using Windows backup to put the data on a network store, then backing up the store. Not pretty, but it works. So far we have only had two issues: 1) Occasionally Exchange stops authenticating user names, such as when setting up Outlook for a user. Keep getting User Name Not Found. Stopping and restarting the Attendant service cures the problem. Haven't had time to dig in to this to find the problem. 2) If you have a Blackberry Enterprise Server connected to your Exchange server, BES doesn't NOT like losing contact with the Exchange system, even for the minute or two it takes to switch active/passive nodes. Just a heads up...from experience. Larry From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 1:46 AM To: MS-Exchange Admin Issues Subject: Anyone using CCR in production? Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Anyone using CCR in production?
The CCR database isn't very large - They did, what, maybe 20 albums? Oh - you didn't mean the band, I guess. /Emily Latella Never Mind! :) On Jan 20, 2008 10:46 PM, Alex Fontana [EMAIL PROTECTED] wrote: Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Recreating Exchange 2003 Public Folder Store
I have an Exchange 2003 Server that has a public folder store on a partition that has gone AWOL. Whoever built this server years ago, created the partition in question as a dynamic partition and we lost a drive in the RAID set(Compaq hardware raid - blah to software RAID sets)... anyways when the array rebuilt Windows placed this Dynamic partition into a At Risk state. After reactivating it, it soon goes back into a At Risk State I've tried many things to recover/move the data off the partition, but the .edb file will not move - the streaming db moves fine, I receive a I/O timeout error along umpteen million errors in the system log. So... we don't have a valid back up of the data, but the PF data has been replicated to two of the other Exchange 2003 servers in this site. So my question is, after the long winded build up, if I simply delete the Public Folder store and recreate a new one on a different partition, what will I break? I can point all mail stores to use another server for its PF store Or should I consider a different course of action? Right now, the PF db works fine, users are saying performance is normal, lookups, etc. TIA for any suggestions. - John Barsodi ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Recreating Exchange 2003 Public Folder Store
If everything has replicated, truly, then you won't lose anything. It will all backfill. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Barsodi.John [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 8:03 PM To: MS-Exchange Admin Issues Subject: Recreating Exchange 2003 Public Folder Store I have an Exchange 2003 Server that has a public folder store on a partition that has gone AWOL. Whoever built this server years ago, created the partition in question as a dynamic partition and we lost a drive in the RAID set(Compaq hardware raid - blah to software RAID sets). anyways when the array rebuilt Windows placed this Dynamic partition into a At Risk state. After reactivating it, it soon goes back into a At Risk State.. I've tried many things to recover/move the data off the partition, but the .edb file will not move - the streaming db moves fine, I receive a I/O timeout error along umpteen million errors in the system log. So. we don't have a valid back up of the data, but the PF data has been replicated to two of the other Exchange 2003 servers in this site. So my question is, after the long winded build up, if I simply delete the Public Folder store and recreate a new one on a different partition, what will I break? I can point all mail stores to use another server for its PF store.. Or should I consider a different course of action? Right now, the PF db works fine, users are saying performance is normal, lookups, etc. TIA for any suggestions. - John Barsodi ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Questions about RPC/HTTPS
1. Not sure about. But it looks like 2 is just missing the external from 1, which I have never put into any of my configs, some are split DNS others are not. Single servers running as both DC/Exchange and separate DC/Exchange. 2. Exactly. But RPC functionality must be installed on the DC you are pointing too and you must configure the NTDS parameters on whatever DC you are point too. Greg -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 7:56 PM To: MS-Exchange Admin Issues Subject: Questions about RPC/HTTPS I am setting this up, and am following the directions on Simon Butler's web page - http://amset.info/exchange/rpc-http.asp - and while I've read the Questions section at the end, I'm still a little unclear on this. 1) We're (at the moment) in situation 2 WRT DC and Exchange (DC and Exchange separate, single Exchange server (well, sort of - we still have Exchange 5.5 running our Rightfax integration, but that should go away soon!) no FE/BE arrangement), so the reg entry in the sample looks as follows: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] ValidPorts=exchange-server:100-5000; exchange-server:6001-6002; exchange-server.domain.local:6001-6002; dc:6001-6002; dc.domain.local:6001-6002; exchange-server:6004; exchange-server.domain.local:6004; dc:6004; dc.domain.local:6004; mail.external.com:6001-6002; mail.external.com:6004; dc:593; dc.domain.local:593; exchange-server:593; exchange-server.domain.local:593; mail.external.com:593; Can this be condensed down (we use split DNS, and FQDNs inside are the same as FQDNs outside) to: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] ValidPorts= exchange-server:100-5000; exchange-server:6001-6002; exchange-server.example.com:6001-6002; dc:6001-6002; dc.example.com:6001-6002; exchange-server:6004; exchange-server.example.com:6004; dc:6004; dc.example.com:6004; dc:593; dc.example.com:593; exchange-server:593; exchange-server.example.com:593; 2) WRT 1) - what will I need to do for the new Exchange servers in our overseas offices, when that time comes? Same thing, but change the names to local DCs and Exchange servers, or something else? Thanks, Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Exchange 2007 Plain text message problem
set-remotedomain -identity name -linewrapsize int On Jan 21, 2008 5:00 PM, Joseph L. Casale [EMAIL PROTECTED] wrote: I am being told that plain text messages being sent by ol2007 to a recipient have the body base64 encoded. Looking at http://technet.microsoft.com/en-us/library/bb232174.aspx it suggests that When SMTP messages contain elements that are not plain US-ASCII text, the message must be encoded to preserve those elements. I am trying to figure out what elements these are and why they exist when the message was composed with plain text setting on? To further the confusion, the article also states When an encoding algorithm is applied to the message body data, the message body data is transformed into plain US-ASCII text. This transformation allows the message to travel through older SMTP messaging servers that only support messages in US-ASCII text. Which leads me to understand that although the body may be Base 64 encoded, it should also have a plain text version as well? So I later find this article: http://support.microsoft.com/kb/946641 which suggests option 6http://support.microsoft.com/kb/946641%20which%20suggests%20option%206, Use Base64 encoding for HTML and for plain text, unless line wrapping is enabled in plain text. If line wrapping is enabled in plain text, use Base64 encoding for HTML and 7-bit encoding for plain text. That looks like it could fix my issue, but how the heck do you enable line wrapping in plain text? Any ideas appreciated, jlc ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange 2007 Plain text message problem
Nice, so do you know if that setting works for all child domains if I only set it at the TLD level? jlc From: Alex Fontana [mailto:[EMAIL PROTECTED] Sent: Monday, January 21, 2008 6:58 PM To: MS-Exchange Admin Issues Subject: Re: Exchange 2007 Plain text message problem set-remotedomain -identity name -linewrapsize int On Jan 21, 2008 5:00 PM, Joseph L. Casale [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I am being told that plain text messages being sent by ol2007 to a recipient have the body base64 encoded. Looking at http://technet.microsoft.com/en-us/library/bb232174.aspx it suggests that When SMTP messages contain elements that are not plain US-ASCII text, the message must be encoded to preserve those elements. I am trying to figure out what elements these are and why they exist when the message was composed with plain text setting on? To further the confusion, the article also states When an encoding algorithm is applied to the message body data, the message body data is transformed into plain US-ASCII text. This transformation allows the message to travel through older SMTP messaging servers that only support messages in US-ASCII text. Which leads me to understand that although the body may be Base 64 encoded, it should also have a plain text version as well? So I later find this article: http://support.microsoft.com/kb/946641 which suggests option 6http://support.microsoft.com/kb/946641%20which%20suggests%20option%206, Use Base64 encoding for HTML and for plain text, unless line wrapping is enabled in plain text. If line wrapping is enabled in plain text, use Base64 encoding for HTML and 7-bit encoding for plain text. That looks like it could fix my issue, but how the heck do you enable line wrapping in plain text? Any ideas appreciated, jlc ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Anyone using CCR in production?
I was going too, but i thought, nah, i wont be that stupid! :) The CCR database isn't very large - They did, what, maybe 20 albums? Oh - you didn't mean the band, I guess. /Emily Latella Never Mind! :) On Jan 20, 2008 10:46 PM, Alex Fontana [EMAIL PROTECTED] wrote: Curious to know what folks have seen in the field when using CCR. How many users, how large are your databases, any issues you've encountered. Any geo-dispersed clusters, special quorum configs, and how are you backing all of it up? thanks! -alex ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Exchange 2007 Plain text message problem
I think so, but not 100% sure. You can add one for *.domain.com as well, but that's a good question hopefully someone will chime in on. On Jan 21, 2008 6:36 PM, Joseph L. Casale [EMAIL PROTECTED] wrote: Nice, so do you know if that setting works for all child domains if I only set it at the TLD level? jlc *From:* Alex Fontana [mailto:[EMAIL PROTECTED] *Sent:* Monday, January 21, 2008 6:58 PM *To:* MS-Exchange Admin Issues *Subject:* Re: Exchange 2007 Plain text message problem set-remotedomain -identity name -linewrapsize int On Jan 21, 2008 5:00 PM, Joseph L. Casale [EMAIL PROTECTED] wrote: I am being told that plain text messages being sent by ol2007 to a recipient have the body base64 encoded. Looking at http://technet.microsoft.com/en-us/library/bb232174.aspx it suggests that When SMTP messages contain elements that are not plain US-ASCII text, the message must be encoded to preserve those elements. I am trying to figure out what elements these are and why they exist when the message was composed with plain text setting on? To further the confusion, the article also states When an encoding algorithm is applied to the message body data, the message body data is transformed into plain US-ASCII text. This transformation allows the message to travel through older SMTP messaging servers that only support messages in US-ASCII text. Which leads me to understand that although the body may be Base 64 encoded, it should also have a plain text version as well? So I later find this article: http://support.microsoft.com/kb/946641 which suggests option 6http://support.microsoft.com/kb/946641%20which%20suggests%20option%206, Use Base64 encoding for HTML and for plain text, unless line wrapping is enabled in plain text. If line wrapping is enabled in plain text, use Base64 encoding for HTML and 7-bit encoding for plain text. That looks like it could fix my issue, but how the heck do you enable line wrapping in plain text? Any ideas appreciated, jlc ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
