Hi I have a small office network with 3 users and a 2003 server with exchange. My router shows that my server is consistanly uploading data at 300-400kbps to the internet. I have had a play around with Microsoft Network Monitor tool and believe the data was coming out of our SMTP port 25. I can confirm that if i stop the SMTP service this resolves the issue. I had a look at my SMTP email queue and there does not appear to be anything too out of the ordinary here - there are a couple of messages that are retrying from yesterday - one is 10MB one is 5MB. Strangely if I click 'Disable outbound email' from the queue in the server manager this does not seem to reduce the bandwidth. This must mean either: a - the emails are stuck in retry and are in some sort of loop which is not being stopped when clicking 'disable outbound email' b- something else is being sent by my SMTP server service which is not in the queue (maybe some sort of spam bot or something? ). I am not sure if this is even possible? Any help or suggestions from pro would be amazing, thanks in advance

Enable smtp protocol logging: http://support.microsoft.com/kb/265139 and see what that tells you.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

HI there, thank you very much for your response. Funnily enough I had enabled 'Subject logging and display' & 'Message tracking' this morning when I was trying to figure this out myself. I have now also enabled SMTP protocal logging on maximum. I have had a look at the log and I dont think I see any SMTP errors. What I have noticed that maybe out of the ordinary is that every email seems to be logged 6 times, all at exactly the same time. Is this weird? Could this be the issue? Am I looking at the right thing if I do not see any SMTP errors? Sorry for all the questions, thanks in advance EDIT - it is probably also worth noting that the SMTP queue is now at 0 but bandwidth is still at 200kbps... So no idea what it is trying to send.

Check task manager for any processes you don't recognize and use netstat or tcpview from sysinternals to see what's making those connections.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

OK, thanks for the above help. I had a look at processes and connections and could not see anything out of the ordinary. Please note that as per my OP if I disable the SMTP service in services.msc then this makes the problem go away so i presume the connection is going through the SMTP service via port 25. I have got everyone to stop sending emails from the office and the SMTP queue is now empty. However my server is still streaming data at 33KB/s (its max). Is there any way that I can find out what my SMTP service is trying to transmit? thanks EDIT: - please note that if i Pause the SMTP service it does not stop the data being transmitted, it only stops it if I stop the service completely...

Do you have any other application that may be sending out email? What do the SMTP logs show? (Protocol Logging)? Sukh

ok guys so the problem i think is this- there are 2 emails that the SMTP log shows the system is trying to send. I believe they are both about 10MB in size and i dont think the recipient sever will receive them becuase of their size. The problem is that the SMTP queue says that the emails have been deleted - ie they are not showing up in the queue. Note that the connector still shows the connection to the server it is trying to send to - but there are no emails when you dobule click and click 'find emails'.This make sense? these 2 emails are showing up in the SMTP log repeatedly. Question - how do i delete these emails when they are not showing up in the SMTP queue? thanks

Try going to C:\program files\exchsrvr\mailroot\vsi 1\queue folder (on top of my head) should see subfolders, see if the message is in there, delete it if it isSukh

If they are not showing in the queue it could be because they are in the temp table and stuck, if so delete them using mfcmapi. Using MFCMAPI To Delete Exchange Temp Table http://msexchangetips.blogspot.com/2006/08/using-mfcmapi-to-delete-exchange-temp.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

There is a bit of sense that you may have an open relay here. SMTP traffic can be sent via the Exchange server via SMTP, and if it's "OPEN" there is no authentication required. If under your SMTP settings (Under Protocols) for that server, double ckeck the relay settings. That can be set to accept any and it could be a spambot or virus that has found it's way out. This 10 meg message, is it going to the same address always? and do you know what that address is? It may also be worth asking the user sending the message if you have the message logging, it should tell you sender and recipients.