Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
User has sent 66,000 emails in 3 1/2 weeks?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 5:35:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
I setup the performance and useage monitors so that I emailed regarding those stats.
The most recent usage report shows one of my users having sent nearly 66,000 emails, almost 2.5GB... yes GIGABYTES worth of email.
My own account is shown as having sent over 30,000 mails but just under 5GBs! The next highest user has sent just over 3,500 emails. My Sent Items has less than 200 items in it, and I haven't cleaned it out! Granted, some of those have a large number of receipents... but I don't see how it is possible I have sent 30,000 emails... worth nearly 5GBs!
These numbers are the numbers shown for external emails, but the server has only be online since January 14th!
Needless to say, this is really bothering me that some how some one is using my server to send spam. However, here are some security settings in place:
- Relaying is closed; tested with a site, confirmed being closed
- NDRs are NOT sent
What else could cause THAT many emails to be sent?
[ February 08, 2005, 05:36 PM: Message edited by: Cade Metz ]
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 5:57:00 PM
|
|
|
Egiganet
Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline
|
Check your SMTP log files to see what is being sent. Check your SMTP queues to see if most of these are incoming or outgoing.
Are you monitoring exchange alone or monitoring port 25 on a gateway?
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 6:55:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
I am monitoring Exchange alone. Exchange sends me an email every other week with a summary of email usage: emails sent, emails recevied, mailbox size, and OWA usage. It is through this usage report that is showing a user sending this number of emails. This is why I am so bothered, because it would imply they are being sent from my server.
Unfortunately, I had not enabled SMTP logging (I just did now) so I can't see what has been going on.
The server is setup to only relaying by the server's internal IP (and of course the 127.0.0.1 loopback IP). The option to "Allow computers which sucessfully authenticate..." has been disabled.
Have I missed something for protecting my server?
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 10:00:00 PM
|
|
|
Egiganet
Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline
|
It should be setup to:
-"Allow only the IP's below to relay" and you can delete all the IP's. A case where you would put an IP in is if you have a device that needs an smtp server to send info through, ie website, alert software...
-Allow authenticated users to relay should be checked. This says if you have logged into the server, you can relay.
It sounds like something in your system might be playing ping pong. Open up system manager, go to your server and storage and look at mailbox storage. See if there are any unusually large mailboxes.
Review your SMTP log, if you've done 60000 messages over the last two weeks, there should be some info in the logs already.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 10:45:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
First, as to the logs. I am looking in these two places at SMTP logs:
C:\Program Files\Exchsrvr\SRVR-EMAIL.log\
C:\Windows\system32\Logfiles\SMTPSVC1
The first location only seems to be listing inbound emails. The second location only has logs starting today (since I just started that logging service). The outbound connections so far are of a normal volume.
Am I missing something about where the logs are?
As for relaying settings, here is a picture of the current settings:
As for unusually large mailboxes.... you'd better beleive it. I have two users with over 1GB worth of email, one approaching 2GB. My users are attachment happy, and I am beginning to make them archive old email and filter out useless email. However, NEITHER of the two users with the extremely large mailboxes size are the ones who show having sent the 66,000 and 30,000 messages. Those two mailboxes are: 50MB and 156MB respectively. Right now, mailbox size restrictions are turned off.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 11:13:00 PM
|
|
|
Egiganet
Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline
|
Remove the 2 granted IP's and then check the box for allowing authed users to relay.
Check your queues, do you have anything out of the ordinary in your queues?
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 8.Feb.2005 11:15:00 PM
|
|
|
Egiganet
Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline
|
Also, for the heck of it, turn on message archiving to see what's flying around.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 9.Feb.2005 12:06:00 AM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
Okay, random question: any idea how exchange "counts" sent messages? I took a closer look at one of the logs in Excel and for ONE DAY, I have 30MB worth of logged information. This was a day when one of the particular users did send out a legitimate "mass email" to all her contacts. This excel spreadsheet ha 65,536 rows in it.. I suspect it would have more, but it seems since 2^16 = 65536... maybe this is a row limitation in Excel.
I was looking at the logs for one particular message a user sent (the user with 66,000 sent messages). Bascially, it has log entries from row 13160 to 65536 (with a few breaks here and there for inbound emails). So bascially, over 50,000 log entries for a SINGLE email. That cannot be normal.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 9.Feb.2005 7:09:00 PM
|
|
|
AMathewsFL
Posts: 42
Joined: 25.Aug.2003
From: Florida
Status: offline
|
I must take issue with EGIGANET's sugestion to allow authenticated users to relay.
You really need a mail relay box that does not allow authenticated users to relay.
If a spammer is able to guess a user's password (often not that hard to do), then said spammer could use your box to relay all day long.
If this box is directly accessible from the outside, you might have a problem with this.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 9.Feb.2005 9:02:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
I agree with AMathewsFL. I have two groups of users when it comes to the server:
Group 1: Primarily work in the office using Outlook 2003 to connect directly to the email server (via an Exchange profile); hence don't need relaying permissions. When traveling, they use OWA and still don't need relaying permissions.
Group 2: A few users work remotely (from home) but only use OWA and hence don't need relaying permissions.
We have 9 in-office employees and 4 home employees; none who are all THAT tech savy. OWA from home is a HUGE step up from what we had before, so closing off the relaying is a justifiable step for me.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 10.Feb.2005 3:33:00 PM
|
|
|
Egiganet
Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline
|
My intentions with removing the IP's were to disable any means of unauthenticated relay. For all we know there could be someone sitting outside in a car with wireless access into your network sending the messages out.
Do what you want... good luck.
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 10.Feb.2005 5:24:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
A wireless network we have... and while no security is foolproof, it is secured with WPA and a pretty good password. Also, the passwords on the two accounts showing the high number sent emails are both relatively secure. For the counts to be put against these two users would require knowing their password and authenticating as them.
I personally am leaning towards a 'bug' in the way the server is counting sent messages. Perhaps out of naivety... but nevertheless. The two days when large emails were sent out, are the days when tens of thousands of log entries are found in the SMTP logs.
However, maybe I am not understanding something. The list of IPs that were allowed to relay were the email server's own IP and the loopback IP of 127.0.0.1. This was the default configuration out of the box. Even with these, someone still shouldn't be able to relay since their IP wouldn't be either one of those, right?
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 10.Feb.2005 5:58:00 PM
|
|
|
BeTaCam
Posts: 420
Joined: 24.Feb.2003
From: India
Status: offline
|
I think you are mixing 2 unique settings on SMTP here.
1. Do you need to have an IP address permitted to relay ? or "Allo all computers"
.. checkbox enabled ?
- Choose the "Allow all computers ...".
This ensures that the outbound SMTP will accept a socket on 25,only from authenticated resources.
- Remove 127.0.0.1 IP entry.Its not required.
2. How did I get 66,000 Mails?
- The user must have sent a BCC blast. In case you have turned on Msg Tracking, check for the mails sent out by the specific user.
- Is this mail box used for sending alerts of any sort.
- On each say how many have been sent out by the user who has sent 66K mails.
do let me know.
/BC
|
|
|
|
|
RE: User has sent 66,000 emails in 3 1/2 weeks? - 10.Feb.2005 6:31:00 PM
|
|
|
cademetz
Posts: 36
Joined: 13.Jan.2005
From: Harker Heights, TX
Status: offline
|
As for relaying... I have pretty much disabled it. I removed even the server's IPs and not even authenticated users are allowed to relay. I really have no need to allow relaying; all of my users send mail directly through the server; so the server is sending the email, not some other computer.
As for the 66k emails. Both blast emails were in fact done with BCCs. I have reviewed most of the logs, and the only log entires I can find for either user are either an email here and there and look legitimate (one or two recipients I recognize), or a TON of log entries related to the blast e-mails. Neither account is used for any types of alerts.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
