The server I am working on is a SBS 2003 box. The problem I am having is that the mail queue keeps growing larger and larger. I look at the items in the queue and there is a ton of emails coming from the domain that are going to misc. places. It looks like this server has been compromised. I have tested it and it is not an open relay. How do I check to see if there is a backdoor on it. It has CA 8.1 antivirus on it and it is not picking up any viruses, trojans, etc.

Could one of your client machines be comprimised and relaying mail through the SBS server? I'd run full scans on all client machines as well. Is your CA Product checking the file system and the exchange db's for viruses or is it file system only?

I know it is not one of the client machines. Last night I took them all off of the network and emptied the Queue folder and by this morning I had 20000 messages in the queue. I will have to check and see if it is scanning the db's.

If it isn't a product designed to scan the databases, dont' scan the .edb and .stm files with it. THat will corrupt the DB's. Maybe not an open relay, but could there be a comprimised user account someone is using to relay? Like is the guest account enabled?

When I look at all of the messages in the queue they all say they are from the postmaster. How do I disable send on postmaster?

Are they all non-delivery reports? If so, someone could be DoS'ing you or pulling a directory harvest. You can turn off NDR's as a whole.

How do I tell if they are NDR's. From what I can tell they don't look like it. I have looked at the sender on most of the messages and they are all postmaster.

I just turned off NDR's. Now I will empty the queue and see how long it takes to rebuild.

I turned off NDR's and cleaned out the queue. Now the queue is staying small but the messages waiting to be routed are climbing. I looked at the messages andit is all people trying to send to addresses on the domain that don't exist.What do you suggest?

Sounds like a directory harvest attack to me. Can you see the source IP in your SMTP logs or firewall? If you can isolate it to one IP, you could block it.

I looked in my smtp logs and found I was getting hit by 7 different IP's that was giving me the 7010 error, address doesn't exist. So I blocked them in the firewall. Hopefully this helps.