First of all: I am a Linux admin that has been given a windows 2k server machine for administration only a week ago. On this week I was learning a bit the windows servers way, but without doing anything dangerous on the machine (I did all my tryings with a fake server) just because it was running ok. My knowledge of the Win2k server environment is a bit young but I have many years of experience admin'ng Unix servers (specially Linux and FreeBSD) so I think that I could take the points here.
Ok. The business. The exchange server is eating the whole upstream bandwidth, it's that simple. It seems that it is sending a bunch of email, but I see nothing on the queue folder.
The server has installed MailEssentials 9.0 for spam checking, monitoring the SMTP link. It runs fairly good (although I am planning a migration to SpamAssasin, but I am not in a hurry), and I can see on its monitor all emails that are being sent and received. Ok, but not the junk traffic the exchange server is generating. It is using smtp, but I cannot see any message anywhere with this.
After that, I sniffed the machine communications through Ethereal, to find the SMTP traffic. It was going to this ip:
22.214.171.124 ---> iris2.directnic.com
As the whole upstream was caught, no downstream was available to anyone so I blocked all communication with that IP. For a while, it ran well, but after a short amount of time the thing began to communicate through SMTP with:
126.96.36.199 ---> iris1.directnic.com
I blocked also that IP in search of a solution. After a short while, it began to communicate with:
188.8.131.52 ---> pop.directnic.com
That I blocked again. That was 2hrs ago, the problem seems to have been avoided - but not solved.
The exchange server has Symantec Antivirus Corporate Edition 8.00.9374 installed, and it seems that I have no virii so far (but you never know).
I telnet'ed the machine on p25 and it seems that I have the relay closed.
I am monitoring right now the account logins to see if there is something strange here.
Well, I ran out of ideas. The IP blocking seems to be working right now, but that's only an ugly hack that can be easily circumvented, and I want a real solution. Dunno if it has something to do with some automated attack involving NT user accounts or virii, but the fact that the smtp communication was with directnic machines seems a bit STRANGE to me. And dangerous, I do not want my domain to be blacklisted at all...
As I am a Unix man, I would replace the OS with something more convenient for me (as I am NO expert on windows machines), maybe a FreeBSD or Debian machine. I know the Unix system and how to make it almost impenetrable (as much as you can, of course), but the Unix groupware solutions are not very mature at this moment. We NEED Exchange, although a lot of us are using Linux and Evolution.
Any help would be GREATLY appreciated. Thanx in advance