Monitoring Exchange 2010 for Spammers

When using Exchange as your outside facing transport servers in either a dedicated Edge role under 2010 or within a multi-role setup finding out when you have a spammer from within historically has been done via blacklist notifications. What if we can catch the spammers in the act? What if we can stop the spam midstream? As a side benefit, you’ll get notification if mail is backing up for other reasons as well…ie random email providers being offline or if you end up having routing issues.

$servername = Get-Content env:computername
$mail_sender = "$"
$mail_server = ""
$mail_recipient = ""
$mailreport_subject = "Script: $servername Message Queues"
#At what level do you want to be emailed?
$maxinqueue = 40
$body = ""

Add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue

function SendEmailReport

    $msg = New-Object System.Net.Mail.MailMessage $mail_sender, $mail_recipient, $mailreport_subject, $body
    $client = New-Object System.Net.Mail.SmtpClient $mail_server
    $client.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

$i = 0
while($i -lt 29)
	$mymessages = get-message -resultsize unlimited	
	#$mysenders  = $mymessages | select-object fromaddress
	if($mymessages.count -gt $maxinqueue)
		$body = "Warning the current queue on $servername has exceeded the queue count of $maxinqueue and is currently at " + $mymessages.count
		$body += "`r`n"
		$body += $mymessages | out-string

		$body = ""
	$mymessages = $null
	write-host $i
	Sleep 60

The $maxinqueue variable is the real trick, at what level of messages in the queue is normal for your organization?

Then all that needs to be done is configuration of a simple scheduled task say run every 30 minutes, the scripting logic is configured to run in a loop to cover at the per minute within a 30 minute window.

, ,
July 11, 2013 at 9:04 am Comments (0)

Backup Exec 2012 database cleanup

When using Backup Exec 2012 by default will install a rather dated at this point in time version of SQL Server 2005 Express Edition. As time goes with and install the database grows and eventually can lead to errors like: “The Backup Exec Database has almost reached the 4-GB limit that is allowed for SQL Server Express Edition. To ensure that Backup Exec continues to function properly, either clean up the Backup Exec Database or upgrade to the full version of SQL Server.”, also known as V-287-13257.

To correct this there have been two trains of thought one to use the built-in BEUtility and the other is to modify SQL directly. I don’t view this as an either-or approach, I view it as a try this first and if not then try that.

First option, use BEUtility. Why, because it’s using the built-in methods provided by Symantec. Run the following options from the utility:

1. Age database

2. compact database

3. repair database

4. rebuild db indices

5. check db consistency.

The second option is to use the SQL Management Studio to manually perform some cleanup. Usually the source of the problem is the BELog table which can grow to gigabytes in size all by itself.

Lets check and see how many records are older than 6 months old:

SELECT count(username) from [BEDB].[dbo].[BELog] where TimeStamp < DateAdd("m", -6, getDate());

On larger environments don’t be surprised if it returns millions.

Now lets check and see if this is anything we still need.

SELECT * from [BEDB].[dbo].[BELog] where TimeStamp < DateAdd("m", -6, getDate());

Ok, now lets purge logs older than 6 months

delete FROM [BEDB].[dbo].[BELog] where TimeStamp < DateAdd("m", -6, getDate());
, , ,
July 9, 2013 at 12:35 pm Comments (0)

IIS website performance tuning


After having some free time, to upgrade the underlying hardware running this site along with a few other things. The drive upgrades in particular helped a fair amount on the processing time, however going back and remembering to configure the output caching for IIS was a bigger help. In any event the site should be significantly faster loading for everyone. As IIS output caching is not new by any means, below are some links going over the feature within IIS.

IIS.Net – Configuring IIS 7 Output Caching

IIS.Net Dynamic Content caching

Technet – Kernel-Mode caching

While this feature has been available for years, many IIS websites still haven’t taken advantage of any of the newer features.

, , ,
July 2, 2013 at 7:18 pm Comments (0)

Clearing old Print Jobs

When using Windows Server as a print server over time the queues eventually begin to fill up. Print jobs are sent one day when a printer is offline and days later after the printer is turned back on sometimes dozens of print jobs start coming from the printer. The other issue that arises is caused by this backup of print jobs, slowly the print server will use disk space until in space cases it just runs out. Here is a simple PowerShell script to clear up the stale print jobs.

$TooOld = (Get-Date).AddDays(-2)
Get-WmiObject Win32_PrintJob | Where-Object { $_.ConvertToDateTime($_.TimeSubmitted) -lt $TooOld } | Foreach-Object { $_.Delete() }

This can be setup as an easy scheduled task to take of ever needing to worry about this issue in the future.

, , ,
June 25, 2013 at 11:41 am Comments (0)

Runaway process checking

Recently I ran into an issue with PHP exhaustion on a Windows Server running IIS. In this scenario the PHP-CGI.exe process would continue to spawn additional instances as load on the server would increase but over time the application pool would struggle and begin to slow to a crawl. In the past I have seen other applications during various iterations of development run into the same issue where if you run into more than “x” instances of an application it is unhealthy or less than “y” instances it is not running properly.


$myprocess = "php-cgi"
$myserver = "WebServer"
$mydomain = ""
$mail_server = ""
$mail_recipient = ""
$toomany = 40
$waytoomany = 80

$mail_sender = "$myserver@$mydomain"
$mailreport_subject = "Script: $myserver $myprocess count"
$body = " "

function SendEmailReport
    $body = [string]::join([environment]::NewLine, ($body)) 
    $msg = New-Object System.Net.Mail.MailMessage $mail_sender, $mail_recipient, $mailreport_subject, $body
    $client = New-Object System.Net.Mail.SmtpClient $mail_server
    $client.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

$mycount =  (Get-Process -Name $myprocess).count

if($toomany -lt $mycount)
	$body = "We have $mycount $myprocess processes, something is unusual."
	if($waytoomany -lt $mycount)
             IISRESET /STOP
             IISRESET /START
             $body = "We have $mycount $myprocess processes, IIS has been reset."

In this case we are sending an email notification to the fictional “support team” when more than 40 instances of the php-cgi process are running and in the event no one responds by the time 80 instances are hit the site is automatically bounced to ensure it’s availability.

The simple method for checking is the use of Task Scheduler and call up the script every 5 minutes, pretty simple yet effective.

, , , ,
May 11, 2013 at 7:30 am Comments (0)

Disabling DNS Recursion on Windows Server 2008 R2 and mitigation of DNS Amplification Attacks

Over the past year DNS Amplification attacks have been worse, even to the point that the US-CERT ( issued a warning last month. With Linux and Unix BIND DNS Server installs a simple config change can take care of this issue however, in Microsoft’s implementation of the DNS server there is a lack of this basic functionality.

This problem is two fold on Windows if you are also using the recursive DNS servers internally for your DNS forwarders. If you are then the first step is standing up a couple of basic forwarding DNS servers. For an additional level of security I would also suggest deployment with conditional forwarders for domains which you are the root DNS server for to reduce the possibility spoofing (if not using DNSSEC), enhance internal DNS performance, and allow for internal DNS resolution to work in the event your WAN link goes down.

The second step is the actual removal of recursion on your existing DNS servers which the below step by step instructions will take of.

Load up DNS Management, right click on your DNS server and select properties.

Select the “Advanced” tab and check the box to “Disable recursion (also disables forwarders)”


Select “Apply”, then “OK”, and finally close out of the DNS management utility.

At this point we need to stop the DNS server service temporary via “net stop dns”

Now pull up Windows Explorer and navigate to %systemroot%\system32\dns, in this folder you’ll find something called “cache.dns”. This file contains the list of root-forwarders which are always active even though recursion is disabled…. anyway, rename this file to something like cache.dns.bak

Lastly start the DNS server back up “net start dns”

At this point validate recursion is really disabled via nslookup.

On a client system pull up a command line and perform the following

server my_non_recursive_dns_server_ip

The resolution for should not return an IP address (unless your Google) and the address for should return an IP assuming the DNS entry is located within the zone file on the server.

With the above completed, you will no longer be a potential node in a DNS amplification attack.

, , ,
April 10, 2013 at 12:55 pm Comments (2)

« Older PostsNewer Posts »