Mark Minasi's Reader Forum - sbs-server log file growing rapidly

Mark Minasi's Reader Forum

Username:	Password:
Save Password
Forgot your Password?

All Forums

HALP! Questions on Windows and Windows Server

Small Business Server

sbs-server log file growing rapidly

New Topic

Reply to Topic

Printer Friendly

Author

Topic

RichieP
Seasoned But Casual Onlooker

95 Posts
Status: offline

Posted - 06/20/2012 : 6:38:23 PM

I have a customer with sbs 2003.

Their server is suddenly running out of disk space. I'e tracked it down to a log file in sbs-server.log filder in Exchsrvr which is still on c:

I moved one of these files that was over 3gb,after having to kill loads of processes before it allowed me.

I rebooted and the file is growing as I watch it, at almost 1MB per minute.

What's suddenly causing this?

Thanks
Richie

cj_berlin
Honorable But Hopeless Addict

Germany
3966 Posts
Status: offline

Posted - 06/21/2012 : 02:26:21 AM

Richie,

those are email logs. The most likely place to find clues is the log itself. Might be a virus or a spam storm, or even a corrupted mail in the queue...

FWIW

Evgenij Smirnov

Jazzy
Administrator

Netherlands
1949 Posts
Status: online

Posted - 06/21/2012 : 04:15:08 AM

To be more specific, these are message tracking logs. It's safe to delete or move them to a different location. Before you do that you could use the message tracking center to find out why there's such a high volume of messages flowing through your server.

Jetze Mellema

Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/

RichieP
Seasoned But Casual Onlooker

95 Posts
Status: offline

Posted - 06/21/2012 : 08:49:27 AM

Thanks for the replies

I can't open the file because it tells me it's too big for Notepad.

There are 1000s of emails with the subject My Greeting in the list when I track everything sent from midnight. This is obviously what's causing it.

How do I block this message or remove it?

This server is using POP3 connector.

Cheers
Richie

don2007
Honorable But Hopeless Addict

1992 Posts
Status: offline

Posted - 06/25/2012 : 12:25:48 AM

Do the headers of the My Greeting emails show the same source IP address? If they do, you maybe able to create a firewall rule set.

Dyslexic people untie.

RichieP
Seasoned But Casual Onlooker

95 Posts
Status: offline

Posted - 06/25/2012 : 3:52:43 PM

Hi Don

I can see the messages in message tracker, but how do I view the headers? I think something is using the server for spam but I've run TDSS Killer, Malwarebytes and Hitman Pro but only TDSS identifies a suspect service which I'm reluctant to delete as it's the same as a valid service for licensing.

RichieP
Seasoned But Casual Onlooker

95 Posts
Status: offline

Posted - 06/27/2012 : 5:36:16 PM

Just to let people know that it turned out to be a NDR attack. 1000's of postmaster messages waiting to go out were clogging up the server and the log file was growing massive logging it.

I followed the instructions http://support.microsoft.com/kb/886208 to clean up the queues.

I've disabled NDRs being sent, but anyone know of any other ways to prevent it in future?

Thanks
Richie

don2007
Honorable But Hopeless Addict

1992 Posts
Status: offline

Posted - 06/29/2012 : 7:19:49 PM

http://support.microsoft.com/?kbid=909005

That's another KB article. I don't know if it's what you want.

Dyslexic people untie.

Edited by - don2007 on 06/29/2012 7:21:37 PM

RichieP
Seasoned But Casual Onlooker

95 Posts
Status: offline

Posted - 07/04/2012 : 3:56:32 PM

Hi Don

Thanks for the link. Can this also be done in Exchange 2010 at all?

don2007
Honorable But Hopeless Addict

1992 Posts
Status: offline

Posted - 07/13/2012 : 12:32:40 PM

That KB article was written before Exchange 2010 was released. I don't see why there would be a problem.

Dyslexic people untie.

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Mark Minasi's Reader Forum

This page was generated in 0.14 seconds.

Snitz Forums 2000