SMTP Connections Full of lots of connections for 275078 + Seconds

Discussion:

(too old to reply)

Scott Townsend

2006-11-27 15:40:04 UTC

Every once in a while our SMTP Service looks like the Blelow.... Full of
connections that have been connected for 100s of thousands of seconds. It
pretty much makes the SMTP Connector useless. Jsut terminating the
Connections does not seem to solve the issue. I have to reboot in order for
Exchange to start talking to the internet again.

I'm running
Exchange 2003 SP2
Win2003 SP1

Any way to time out a connection if its been connected for too long? Some
of these are connected from 5 to 10 days!

Thank you,
Scott<-

User From Connected Time
mx16.smartdealflash.com 72.29.5.196 900166 seconds
mx5.smartdealflash.com 72.29.5.185 841919 seconds
OOO 195.218.131.190 795817 seconds
mx17.smartdealspecials.com 72.29.5.137 661985 seconds
mx11.smartdealflash.com 72.29.5.191 585755 seconds
AGENTE1 148.223.146.212 512174 seconds
ip190.hermesegreek.com 66.207.172.190 478387 seconds
NAOMI.eb65ox.net 124.255.169.133 454064 seconds
a30b.i2alnz.comcast.net 124.255.169.133 454032 seconds
NAOMI 124.255.169.133 453996 seconds
NAOMI 124.255.169.133 453965 seconds
NAOMI 124.255.169.133 453932 seconds
NAOMI.x8ff.net 124.255.169.133 453899 seconds
NAOMI.1fogbmi.com 124.255.169.133 453867 seconds
NAOMI.oegoikk.org 124.255.169.133 453836 seconds
ip167.hermesegreek.com 66.207.172.167 396660 seconds
ip189.hermesegreek.com 66.207.172.189 356458 seconds
ip146.hermesegreek.com 66.207.172.146 355924 seconds
ip184.hermesegreek.com 66.207.172.184 275354 seconds
ip183.hermesegreek.com 66.207.172.183 275101 seconds
ip184.hermesegreek.com 66.207.172.184 275078 seconds
PC3 201.229.232.108 259832 seconds
qyo6i22f.oae1x3.verizon.net 201.229.232.108 259777 seconds
PC3 201.229.232.108 259734 seconds
mx10.smartdealcoupons.com 72.29.5.99 241628 seconds
HYUNJU.oo0rw04.org 203.100.185.102 140957 seconds
HYUNJU 203.100.185.102 140925 seconds

Waleed Omar

2006-11-28 15:12:46 UTC

Permalink

From the exchange smtp virtual server properties you will find a field that
you can specify the timeout period in, Use this box to set the number of
minutes before an inactive client is disconnected. You can type a number
from 1 to 19,999,999. The default setting is 10 minutes. But if those
connections coming in to you are active they will not be terminated, you can
do IP address blocking for them as well if you can guarantee they are not
positive or legal sender for your company.

Regards,
Waleed Omar

Post by Scott Townsend
Every once in a while our SMTP Service looks like the Blelow.... Full of
connections that have been connected for 100s of thousands of seconds. It
pretty much makes the SMTP Connector useless. Jsut terminating the
Connections does not seem to solve the issue. I have to reboot in order
for Exchange to start talking to the internet again.
I'm running
Exchange 2003 SP2
Win2003 SP1
Any way to time out a connection if its been connected for too long? Some
of these are connected from 5 to 10 days!
Thank you,
Scott<-
User From Connected Time
mx16.smartdealflash.com 72.29.5.196 900166 seconds
mx5.smartdealflash.com 72.29.5.185 841919 seconds
OOO 195.218.131.190 795817 seconds
mx17.smartdealspecials.com 72.29.5.137 661985 seconds
mx11.smartdealflash.com 72.29.5.191 585755 seconds
AGENTE1 148.223.146.212 512174 seconds
ip190.hermesegreek.com 66.207.172.190 478387 seconds
NAOMI.eb65ox.net 124.255.169.133 454064 seconds
a30b.i2alnz.comcast.net 124.255.169.133 454032 seconds
NAOMI 124.255.169.133 453996 seconds
NAOMI 124.255.169.133 453965 seconds
NAOMI 124.255.169.133 453932 seconds
NAOMI.x8ff.net 124.255.169.133 453899 seconds
NAOMI.1fogbmi.com 124.255.169.133 453867 seconds
NAOMI.oegoikk.org 124.255.169.133 453836 seconds
ip167.hermesegreek.com 66.207.172.167 396660 seconds
ip189.hermesegreek.com 66.207.172.189 356458 seconds
ip146.hermesegreek.com 66.207.172.146 355924 seconds
ip184.hermesegreek.com 66.207.172.184 275354 seconds
ip183.hermesegreek.com 66.207.172.183 275101 seconds
ip184.hermesegreek.com 66.207.172.184 275078 seconds
PC3 201.229.232.108 259832 seconds
qyo6i22f.oae1x3.verizon.net 201.229.232.108 259777 seconds
PC3 201.229.232.108 259734 seconds
mx10.smartdealcoupons.com 72.29.5.99 241628 seconds
HYUNJU.oo0rw04.org 203.100.185.102 140957 seconds
HYUNJU 203.100.185.102 140925 seconds

Scott Townsend

2006-11-28 17:07:58 UTC

Permalink

So if they are not timing out, then either there is a bug or they are
active.

they are always different connections, so they are not always from the same
IPs. So blocking IPs is not really an option as they are always changing.

If they are really active, is there anyway to see what they are trying to
do?

Could this be some sort of DoS Attack? As it does bring my SMTP VS to a
halt and I cant send/receive any mail via the VS. If I terminate all
connections, it still hangs. If I try to stop the VS or the SMTP Service, it
still hangs on stopping. They only way I've found to get it back up is to
reboot.

Going in and checking to see if there are active sessions connected for long
periods is kind of a pain...

Any Suggestions? The takes down the mail server now about 2-3 times a
month...

Thanks,
Scott<-

Post by Waleed Omar
From the exchange smtp virtual server properties you will find a field
that you can specify the timeout period in, Use this box to set the number
of minutes before an inactive client is disconnected. You can type a
number from 1 to 19,999,999. The default setting is 10 minutes. But if
those connections coming in to you are active they will not be terminated,
you can do IP address blocking for them as well if you can guarantee they
are not positive or legal sender for your company.
Regards,
Waleed Omar

Post by Scott Townsend
Every once in a while our SMTP Service looks like the Blelow.... Full of
connections that have been connected for 100s of thousands of seconds.
It pretty much makes the SMTP Connector useless. Jsut terminating the
Connections does not seem to solve the issue. I have to reboot in order
for Exchange to start talking to the internet again.
I'm running
Exchange 2003 SP2
Win2003 SP1
Any way to time out a connection if its been connected for too long?
Some of these are connected from 5 to 10 days!
Thank you,
Scott<-
User From Connected Time
mx16.smartdealflash.com 72.29.5.196 900166 seconds
mx5.smartdealflash.com 72.29.5.185 841919 seconds
OOO 195.218.131.190 795817 seconds
mx17.smartdealspecials.com 72.29.5.137 661985 seconds
mx11.smartdealflash.com 72.29.5.191 585755 seconds
AGENTE1 148.223.146.212 512174 seconds
ip190.hermesegreek.com 66.207.172.190 478387 seconds
NAOMI.eb65ox.net 124.255.169.133 454064 seconds
a30b.i2alnz.comcast.net 124.255.169.133 454032 seconds
NAOMI 124.255.169.133 453996 seconds
NAOMI 124.255.169.133 453965 seconds
NAOMI 124.255.169.133 453932 seconds
NAOMI.x8ff.net 124.255.169.133 453899 seconds
NAOMI.1fogbmi.com 124.255.169.133 453867 seconds
NAOMI.oegoikk.org 124.255.169.133 453836 seconds
ip167.hermesegreek.com 66.207.172.167 396660 seconds
ip189.hermesegreek.com 66.207.172.189 356458 seconds
ip146.hermesegreek.com 66.207.172.146 355924 seconds
ip184.hermesegreek.com 66.207.172.184 275354 seconds
ip183.hermesegreek.com 66.207.172.183 275101 seconds
ip184.hermesegreek.com 66.207.172.184 275078 seconds
PC3 201.229.232.108 259832 seconds
qyo6i22f.oae1x3.verizon.net 201.229.232.108 259777 seconds
PC3 201.229.232.108 259734 seconds
mx10.smartdealcoupons.com 72.29.5.99 241628 seconds
HYUNJU.oo0rw04.org 203.100.185.102 140957 seconds
HYUNJU 203.100.185.102 140925 seconds

jdumke

2006-12-12 19:52:28 UTC

Permalink

We have had the same problem with Exchange 2003, SP2 for some months. I
applied the hotfix that MS recommends:
<http://support.microsoft.com/kb/923346> and it seemed to take care of
some of the offending domains. HERMESEGREEK AND SMARTDEALS continue to
show the same behavior, so I'm just going to block their domains from
connecting to our servers.

--
jdumke