Looking after a number of SBS2K sites I'm beginning to notice an ever
increasing number of sites which are experiencing their ISA dial-up
being constantly connected for days and days at a time.
Here in the UK that equates to your telephone bill being delivered to
you in a large box.....
On closer inspection looking at the ISA log files etc the following
logs entries appear to be common in all these cases:
10.0.0.2 anonymous wininet 2003-04-09 06:01:25 SERVER01 -.com - 80
12265 134 -http GET http://.com/ Inet 11001
127.0.0.1 anonymous wininet 2003-04-09 06:01:30 SERVER01 - .com - 80
4578 134 -http GET http://.com/ Inet 11001 repeated over and over
These entries are repeated at roughly every five minute intervals
continously until the connection is manually hung up. If this goes
unnoticed this could be for many days resulting in a huge telephone
It appears that this is ISA calling the internet for 'WebContent' ? in
order to facilitate mail delivery at the scheduled time set using the
initial ICW ettings. Problem is its doing this thoughout the night
even if we set the SMTP connector to only run say 7am to 11pm rather
than 'always run'.
It looks as if for the best part that this is being caused by e-mail
messages from the system postmaster getting stuck in the outbound mail
Sometimes one, sometimes two.
Most of the ones that I have investigated so far have all been replies
from the system postmaster to spammer mail addresses.
However these messages do not appear to be adhereing to the normal
retry criteria. Also the stuck messages also seem to override the
delivery schedule times set on the smtp delivery service.
Once the messages are removed with a 'send no NDR' from the queue and
the line hung up manually (line has to be hung up manually, it won't
disconnect even after the messages are removed from the queues) the
problem stops until the next time its occurrs, usually within a few
days or so.
Also I have seen instances whereby users have inadvertantly open up
spam e-mail in HTML carrying webpage style advertisments, this then
causes ISA to dial up to display the content of the message, but after
the user closes the message the ISA server seems unable to hang up the
connection and has to be manually disconnected. I've tested this one
myself with one of the suspect messages and it would seem that some of
the graphics in the page couldn't be found on the remote webserver,
message is the closed in Outlook on client PC but ISA server never
dissconnects and again has to be hung up manually.
I'm also not sure whether the content of the messages or the
advertising contained within is malformed or malicious and this is
what is causes the problem. We have AntiVirus installed at all sites
and bang up to date with defs regular scans and mail gateway scanners.
All security patches and hotfixes bang up to date etc etc.
We have now started filtering the inbound messages using the SMTP
filter in exchange but this is proving very tedious to keep up to date
and somewhat ineffective as it would appear that nearly every time the
server receives more spam e-mail its nearly always from a new spam
address. For the best part the users are as careful as they can be but
its difficult to adhere to a strict 'don't open it unless you know who
its from', especially if you are in the sales dept.
I've had a look at the ISA feature pack but am unsure as to whether
this can help with the situation. Any thoughts anyone ?
Is there anything that I may have missed with regards to exchange
We're not sending and NDR's on the filtering side..undeliverable mail
not being NDR'd
It looks like other people are also experiencing this, having a look
Anbody any thoughts on how to proceed ? its all beginning to become a
bit of a pain to say the least.
I know...'unmetered' internet access springs to mind, but this isn't
really solving the problem is it, just going around it ?