Serious outbound issues on our IronPorts devices

Mate90_ironport · ‎06-12-2007

Active Conn. Deliv.
Soft Hard
# Recipient Host Recip. Out Recip. Bounced
Bounced

1 yahoo.com.tw 296,187 3 9,084 672,645
108,519
2 yahoo.com 170,347 97 1,494 1,061,564
146,601
3 msa.hinet.net 24,168 5 10,516 2,706
36,246
4 yahoo.com.hk 8,703 44 202 554,580
81,973
5 seed.net.tw 3,272 0 0 0
17,526

6* iclubs.com.tw 2,013 0 0 0
796
7* ms32.hinet.net 1,656 0 262 101
8,850
8* ms24.hinet.net 1,620 0 360 84
644
9* ms29.hinet.net 1,605 0 309 54
10,568
10* ms27.hinet.net 1,578 0 324 70
9,117

11* ms26.hinet.net 1,557 0 517 126
8,599
12* umail.hinet.net 1,545 0 1,109 778
0
13* ms22.hinet.net 1,517 0 272 56
7,897
14* ms25.hinet.net 1,514 0 195 54
9,223
15* ms31.hinet.net 1,510 0 242 67
8,828

16* ms8.hinet.net 1,488 0 351 77
7,194
17* ms49.hinet.net 1,426 0 291 44
8,649
18* ms7.hinet.net 1,414 0 175 63
8,217
19* ms17.hinet.net 1,411 0 181 46
6,095
20* ms21.hinet.net 1,402 0 259 64
888

It seems some virus is shooting en spam to the outside of thru the Internal Network tot he exchange box ultimately to the IronPort devices . This has affected performance of the iron Ironport device More so they are in cluster of two 2 machine . Any body there who could help aleast have the iron port drop this spam before going init's work queue ?

kluu_ironport · ‎08-14-2007

See it's not coming in via a RELAYLIST sendergroup, you can use LDAP and then set it to drop emails going to invalid recipients. Also, bounce verification will help prevent invalid bounces from coming into your Ironport appliance.

Also, you may need to do some investigation work and grep for the IP/hostname of the connecting server that for the "yahoo.com.tw" and "*.hinet.net". See where this is coming from. If you can't get that information, you may need to enable injection logs to see more detailed information. (i.e Received headers)

Active  Conn.     Deliv.
Soft       Hard
#   Recipient Host               Recip.    Out     Recip.    Bounced
Bounced

1   yahoo.com.tw                296,187      3      9,084    672,645
108,519
2   yahoo.com                   170,347     97      1,494  1,061,564
146,601
3   msa.hinet.net                24,168      5     10,516      2,706
36,246
4   yahoo.com.hk                  8,703     44        202    554,580
81,973
5   seed.net.tw                   3,272      0          0          0
17,526


6*  iclubs.com.tw                 2,013      0          0          0
796
7*  ms32.hinet.net                1,656      0        262        101
8,850
8*  ms24.hinet.net                1,620      0        360         84
644
9*  ms29.hinet.net                1,605      0        309         54
10,568
10* ms27.hinet.net                1,578      0        324         70
9,117


11* ms26.hinet.net                1,557      0        517        126
8,599
12* umail.hinet.net               1,545      0      1,109        778
0
13* ms22.hinet.net                1,517      0        272         56
7,897
14* ms25.hinet.net                1,514      0        195         54
9,223
15* ms31.hinet.net                1,510      0        242         67
8,828

16* ms8.hinet.net                 1,488      0        351         77
7,194
17* ms49.hinet.net                1,426      0        291         44
8,649
18* ms7.hinet.net                 1,414      0        175         63
8,217
19* ms17.hinet.net                1,411      0        181         46
6,095
20* ms21.hinet.net                1,402      0        259         64
888

It seems some  virus  is shooting en spam  to the outside  of thru  the Internal  Network  tot he exchange box  ultimately  to the IronPort  devices . This  has affected performance  of the iron Ironport device  More  so they  are in cluster of two  2 machine .  Any body there who could help  aleast  have the iron port  drop  this spam  before  going init's work  queue ?