SMTP Send Queue growing due to possible DHA attack?

Question

GroupWise 8 SLES

So.. my email server's send queue is currently at 20,000+ emails and growing. Log files are full of this type of thing:

18:48:14 840 MSG 1401510 Converting message to SMTP: /mail/pidom/wpgate/gwialnx/send/xe666aee.401
18:48:14 376 MSG 1401512 Processing inbound message: /mail/pidom/wpgate/gwialnx/receive/92dd56e4.631
18:48:14 376 MSG 1401512 Sender: test@petrovis.net
18:48:14 376 MSG 1401512 Recipient: jabbundi@lycos.com
18:48:14 376 MSG 1401512 Recipient: jabc@myway.com
18:48:14 376 MSG 1401512 Recipient: jabdel@aol.com
18:48:14 376 MSG 1401512 Recipient: jabdmn@hotmail.com
18:48:14 376 MSG 1401512 Recipient: jabdolrahimi@aol.com
18:48:14 376 MSG 1401512 Recipient: jabdta@aol.com
18:48:14 376 MSG 1401512 Recipient: jabdulhamid@hotmail.com
18:48:14 376 MSG 1401512 Recipient: jabdulrazque@yahoo.com
18:48:14 376 MSG 1401512 Recipient: jabeardslee@aol.com
18:48:14 376 MSG 1401512 Recipient: jabedini@yahoo.com
18:48:14 376 MSG 1401512 Recipient: jabeebe@aol.com
18:48:14 376 MSG 1401512 Recipient: jabeef@aol.com
.......

Port 25 on the firewall is set up to allow connections only from our anti-spam provider (postini)

My question is, how do I find out where these messages are originating, and how do I stop them?

Answer 1

You let them get sent (just a few) then look at the email's "original text" if your server supports archiving mail. Look in the queue files if possible to see if you can actually read the mails before they get sent. I mean, depending on how important the mail server is, shut it down for a few minutes and note who connects to it when it comes online again. Even better, disallow use of it outside the domain. That will put an end to the issue for good.