Bad Feeling About Exchange Server

Let's start off with some background info on this before I get into the actual problem.

First, I am not an Exhange 5.5 guru. I can create and delete accounts, restart services and that is about it. The way our e-mail is set up is it goes through Quantico before it gets to us. Starting last week I get calls everyday from Quantico stating that our queue is unbelieveably high. Their threshold is 500 before they call. They suggest restarting the MTA service which never works and I end up restarting the server and that usually works.....until today.

About 15 minutes ago I get a call from Quantico. I go through the steps of restarting the MTA and then restarting the server. This time it did not correct the problem, I received another call 5 minutes ago. They asked me to send them my logs from event viewer. Nothing there caught my attention but then again I am not an Exchange guy.

So, considering this started a week ago after the server has been running for quite sometime, I am thinking it is hardware related. I have a meeting in about an hour in which I will drop the bomb that our e-mail server may be dying and will request funding for a much newer better server.

The server I have is a Dell PowerEdge 4400. It has dual 667's, 512MB of RAM and 5 SCSI 9.4GB hard drives in RAID 5. I think Jesus worked at Dell when this thing was built. At one point in time it was an NT4 PDC .

Does anyone else think that this is hardware related or could it be some configuration setting that finally had enough and stopped working?

I stumped all of you as well...

Oh well, I have a request in to get a new server anyway, just waiting on funding. If anyone has thoughts on this please share.

I'm not an exchange guy either, but let me run this by a friend of mine who does this sort of thing.

//EDIT



Hope that helps.

I'm sorry, I must have missed this the first time around. You said all your incoming mail goes through Quantico first, but based on the fact that they are having you mess with your equipment, I'm assuming the high queue being refered to is your outgoing, which I'll make the temporary assumption will most likely be SMTP.

The first thought that comes to mind, and the most likely thing that is happening, is that somone is spoofing using your SMTP server. Don't rule this one out. The programmer that works with me at the moment said that one of their clients is a Presbyterian church was being used for spoofing and it was so bad that they were blacklisted and could completely not send or receive emails. They had to determine where it was coming from and stop it, then prove to the ISP that it was not them, but rather spoofing, before they could get removed from the blacklist. I've never had to deal with that, so at the moment I have no way of telling you how to approach it. Starting and stopping your services or rebooting, would of course, temporarily stop the activity, because the remote connection would obviously temporarily be broken until it could be reestablished.

The second thing that comes to my mind (and not out of the question) wouldn't even be hardware at all, but rather one of your servers / clients has a virus which may be using it's own SMTP server to route it's own variation of emails. The first thing that I would do prior to investing in new equipment is to run thorough scans, including spyware and adware scans to ensure that none of your machines have an infection.

I use Symantec Enterprise and can monitor virus activity via the Control Panel. On Friday, I was applying all the recent patches from Microsoft. While doing so, I was looking up a client station IP address on the Control Panel, and not seeing his workstation listed, went to turn on his computer, but it was already on. I noticed his antivirus was disabled and no longer managed by the server. I reinabled the management control and ran a full scan remotely and discovered and deleted 135 virus infected files, primarily MyDoom!Gen (although there were others). As best as I can determine, he contracted this June 16 by visiting a malicious site. I had overlooked it for two months because I just never noticed he was no longer showing up on the management console. So again don't rule that out as a possibility. (I thought we were completely virus free, and was obviously embarassed to discover we weren't).

I would research both of those possibilities before investing in new hardware.

Some reading for you:

http://www.securityfocus.com/infocus/1674
http://searchwindowssecurity.techtarget ... 83,00.html
http://docs.rinet.ru/LomamVse/ch28/ch28.htm

Thanks for replying and sorry it took so long to post back. I just went through a rebuild of this damn server due to a virus, go figure. The patch I applied last week was obviously too late as I contracted the Zotob. At least I'm not re-imaging over 700 machines like my counter parts are but I still had to rebuild it.

It could be spoofing related. I would lean more towards that one. The virus thing has me thinking as well but we are completely managed by another party here. My users are generally pretty good when it comes to web browsing, they are afraid of getting in trouble (military network) and they do not have admin rights to their machines. And when one of them does do something I am immediately contacted about the incident. I'll read those articles and do some snooping around.

Once again thanks for the feedback.

BTW, I do have 2 new servers coming. I am excited. Dual procs with 4 gigs of RAM and a butt load of hard drive space. It is time to retire this old beast.

*lol - new toys are always the best! Good luck.