Persistent ISA dial-ups - stuck outbound mail ?

Persistent ISA dial-ups - stuck outbound mail ?

Post by Jim Smi » Tue, 06 May 2003 23:21:20



Hi all,

Looking after a number of SBS2K sites I'm beginning to notice an ever
increasing number of sites which are experiencing their ISA dial-up
being constantly connected for days and days at a time.
Here in the UK that equates to your telephone bill being delivered to
you in a large box.....

On closer inspection looking at the ISA log files etc the following
logs entries appear to be common in all these cases:

10.0.0.2 anonymous wininet 2003-04-09 06:01:25 SERVER01 -.com - 80
12265 134 -http GET http://.com/ Inet 11001
127.0.0.1 anonymous wininet 2003-04-09 06:01:30 SERVER01 - .com - 80
4578 134 -http GET http://.com/ Inet 11001  repeated over and over
again..

These entries are repeated at roughly every five minute intervals
continously until the connection is manually hung up. If this goes
unnoticed this could be for many days resulting in a huge telephone
bill....
It appears that this is ISA calling the internet for 'WebContent' ? in
order to facilitate mail delivery at the scheduled time set using the
initial ICW ettings. Problem is its doing this thoughout the night
even if we set the SMTP connector to only run say 7am to 11pm rather
than 'always run'.

It looks as if for the best part that this is being caused by e-mail
messages from the system postmaster getting stuck in the outbound mail
queues.
Sometimes one, sometimes two.
Most of the ones that I have investigated so far have all been replies
from the system postmaster to spammer mail addresses.
However these messages do not appear to be adhereing to the normal
retry criteria. Also the stuck messages also seem to override the
delivery schedule times set on the smtp delivery service.
Once the messages are removed with a 'send no NDR' from the queue and
the line hung up manually (line has to be hung up manually, it won't
disconnect even after the messages are removed from the queues) the
problem stops until the next time its occurrs, usually within a few
days or so.

Also I have seen instances whereby users have inadvertantly open up
spam e-mail in HTML carrying webpage style advertisments, this then
causes ISA to dial up to display the content of the message, but after
the user closes the message the ISA server seems unable to hang up the
connection and has to be manually disconnected. I've tested this one
myself with one of the suspect messages and it would seem that some of
the graphics in the page couldn't be found on the remote webserver,
message is the closed in Outlook on client PC but ISA server never
dissconnects and again has to be hung up manually.
I'm also not sure whether the content of the messages or the
advertising contained within is malformed or malicious and this is
what is causes the problem. We have AntiVirus installed at all sites
and bang up to date with defs regular scans and mail gateway scanners.
All security patches and hotfixes bang up to date etc etc.

We have now started filtering the inbound messages using the SMTP
filter in exchange but this is proving very tedious to keep up to date
and somewhat ineffective as it would appear that nearly every time the
server receives more spam e-mail its nearly always from a new spam
address. For the best part the users are as careful as they can be but
its difficult to adhere to a strict 'don't open it unless you know who
its from', especially if you are in the sales dept.

I've had a look at the ISA feature pack but am unsure as to whether
this can help with the situation. Any thoughts anyone ?

Is there anything that I may have missed with regards to exchange
setup ?
We're not sending and NDR's on the filtering side..undeliverable mail
not being NDR'd

It looks like other people are also experiencing this, having a look
around.

Anbody any thoughts on how to proceed ? its all beginning to become a
bit of a pain to say the least.

I know...'unmetered' internet access springs to mind, but this isn't
really solving the problem is it, just going around it ?

Jim.

 
 
 

Persistent ISA dial-ups - stuck outbound mail ?

Post by Roger Crawfor » Wed, 07 May 2003 20:37:37


I have seen this with Norton Anti Virus installed on the workstations. It
was set to Auto Update itself and is by default I think it is set to check
every 5 minutes for updates. If you look at the workstations under scheduled
tasks you would see a task setup for the Anti Virus. Also if you have any
weather bugs or programs like that on the workstations it will do this also.
Also I have seen this with Gator or any 3rd party programs that connect to
the web and will cause the server to dial out. and then once dialed out the
requests keep happening so the connection is never dropped.

Roger Crawford
HTS


Quote:> Hi all,

> Looking after a number of SBS2K sites I'm beginning to notice an ever
> increasing number of sites which are experiencing their ISA dial-up
> being constantly connected for days and days at a time.
> Here in the UK that equates to your telephone bill being delivered to
> you in a large box.....

> On closer inspection looking at the ISA log files etc the following
> logs entries appear to be common in all these cases:

> 10.0.0.2 anonymous wininet 2003-04-09 06:01:25 SERVER01 -.com - 80
> 12265 134 -http GET http://.com/ Inet 11001
> 127.0.0.1 anonymous wininet 2003-04-09 06:01:30 SERVER01 - .com - 80
> 4578 134 -http GET http://.com/ Inet 11001  repeated over and over
> again..

> These entries are repeated at roughly every five minute intervals
> continously until the connection is manually hung up. If this goes
> unnoticed this could be for many days resulting in a huge telephone
> bill....
> It appears that this is ISA calling the internet for 'WebContent' ? in
> order to facilitate mail delivery at the scheduled time set using the
> initial ICW ettings. Problem is its doing this thoughout the night
> even if we set the SMTP connector to only run say 7am to 11pm rather
> than 'always run'.

> It looks as if for the best part that this is being caused by e-mail
> messages from the system postmaster getting stuck in the outbound mail
> queues.
> Sometimes one, sometimes two.
> Most of the ones that I have investigated so far have all been replies
> from the system postmaster to spammer mail addresses.
> However these messages do not appear to be adhereing to the normal
> retry criteria. Also the stuck messages also seem to override the
> delivery schedule times set on the smtp delivery service.
> Once the messages are removed with a 'send no NDR' from the queue and
> the line hung up manually (line has to be hung up manually, it won't
> disconnect even after the messages are removed from the queues) the
> problem stops until the next time its occurrs, usually within a few
> days or so.

> Also I have seen instances whereby users have inadvertantly open up
> spam e-mail in HTML carrying webpage style advertisments, this then
> causes ISA to dial up to display the content of the message, but after
> the user closes the message the ISA server seems unable to hang up the
> connection and has to be manually disconnected. I've tested this one
> myself with one of the suspect messages and it would seem that some of
> the graphics in the page couldn't be found on the remote webserver,
> message is the closed in Outlook on client PC but ISA server never
> dissconnects and again has to be hung up manually.
> I'm also not sure whether the content of the messages or the
> advertising contained within is malformed or malicious and this is
> what is causes the problem. We have AntiVirus installed at all sites
> and bang up to date with defs regular scans and mail gateway scanners.
> All security patches and hotfixes bang up to date etc etc.

> We have now started filtering the inbound messages using the SMTP
> filter in exchange but this is proving very tedious to keep up to date
> and somewhat ineffective as it would appear that nearly every time the
> server receives more spam e-mail its nearly always from a new spam
> address. For the best part the users are as careful as they can be but
> its difficult to adhere to a strict 'don't open it unless you know who
> its from', especially if you are in the sales dept.

> I've had a look at the ISA feature pack but am unsure as to whether
> this can help with the situation. Any thoughts anyone ?

> Is there anything that I may have missed with regards to exchange
> setup ?
> We're not sending and NDR's on the filtering side..undeliverable mail
> not being NDR'd

> It looks like other people are also experiencing this, having a look
> around.

> Anbody any thoughts on how to proceed ? its all beginning to become a
> bit of a pain to say the least.

> I know...'unmetered' internet access springs to mind, but this isn't
> really solving the problem is it, just going around it ?

> Jim.


 
 
 

Persistent ISA dial-ups - stuck outbound mail ?

Post by Jim Smi » Thu, 08 May 2003 05:34:43


Covered that already, no NAV200x on the networks so no scheduled NAV
updates in local task schedulers, only NAVCorp clients deployed with
PC LiveUpdates disabled, updates are only through the SSC which checks
just once a day, have monitored this with no problems.
Yes, have had some 'Gator', 'Precsion Time' etc and 'data miners'
cause problems, am trying various third party apps to help to clear
these off, Adaware etc, seem to be doing a fairly good job.
Guess main issue is to block spam at front door if possible, use RBL's
etc ?
Better use/understanding of ISA firewall probably a good area to
concentrate on I guess.

Jim.


> I have seen this with Norton Anti Virus installed on the workstations. It
> was set to Auto Update itself and is by default I think it is set to check
> every 5 minutes for updates. If you look at the workstations under scheduled
> tasks you would see a task setup for the Anti Virus. Also if you have any
> weather bugs or programs like that on the workstations it will do this also.
> Also I have seen this with Gator or any 3rd party programs that connect to
> the web and will cause the server to dial out. and then once dialed out the
> requests keep happening so the connection is never dropped.

> Roger Crawford
> HTS

Snip>