|
Home > Archive > IIS and SMTP > February 2004 > Win2003: SMTP causes inetinfo.exe to hog memory
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win2003: SMTP causes inetinfo.exe to hog memory
|
|
| Jonathan 2004-02-18, 10:34 am |
| I've just successfully setup POP3 & SMTP services on my Win2003 Server box.
After these services are started, slowly but surely "inetinfo.exe" grabs as
much memory as it can. This is strange as my server serves an extremely
small email user-base as well as a couple low-traffic sites. When I look
into the Event Viewer I noticed that my server is getting hit pretty hard
with requests to send email (not my clients); both in-bound & out-bound
servers are password protected, so unless the user successfully
authenticates the request is rejected. I have limited the number of
connections to my mailserver to "10" in an attempt to keep memory usage to a
minimum. This seemed to slow the mad rush to usurp memory, but eventually
"inetinfo.exe" still walks away with a hefty chunk. Is there any way to
limit this?
| |
| Alexander Nikolayev [MSFT] 2004-02-18, 10:34 am |
| Jonathan, if I understood you correctly someone is trying to relay through
your server. Remote party makes connection to your smtp port and issues
(i.e.) RCPT TO:user@remote_domain.com. Your server is closed for relay thus
rejects the command, but inteinfo still consumes memory.
If this is what you see there is not much you can do about it (due to the
nature of SMTP protocol), however, if the connection request comes from a
certain IP(s) you can black-list them. This is not a solution though
because you can get under distributed attack...
I'm interested in how much memory increase you see (the numbers) both in VM
and physical (and working set) and how much RAM do you have. Also at what
point (after what command) you see mem increse. Limiting the number of
connections to 10 is not a good idea - malicious party can open 10
connections to your server and keep them alive by issuing NOOP every
x-min... Legit parties will not be able to make a connections to your
server, so you can treat this as self-inflicted DoS.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
"Jonathan" <info@periglobal.com> wrote in message
news:ZnSYb.27456$ej7.24837@newssvr25.news.prodigy.com...
> I've just successfully setup POP3 & SMTP services on my Win2003 Server
box.
> After these services are started, slowly but surely "inetinfo.exe" grabs
as
> much memory as it can. This is strange as my server serves an extremely
> small email user-base as well as a couple low-traffic sites. When I look
> into the Event Viewer I noticed that my server is getting hit pretty hard
> with requests to send email (not my clients); both in-bound & out-bound
> servers are password protected, so unless the user successfully
> authenticates the request is rejected. I have limited the number of
> connections to my mailserver to "10" in an attempt to keep memory usage to
a
> minimum. This seemed to slow the mad rush to usurp memory, but eventually
> "inetinfo.exe" still walks away with a hefty chunk. Is there any way to
> limit this?
>
>
| |
| Jonathan 2004-02-18, 11:34 am |
| Alexander,
Here's some more information regarding my situation:
About 1 hour after SMTP/POP3 Services are started
Mem Usage
inetinfo.exe 173,380k
POP3Svc.exe 2,864k
Commit Charge: 437M / 1126M
Physical Memory
Total: 491,000k
Available: 42,668k
System Cache: 156,492k
Kernel Memory
Total: 63,608k
Paged: 46,512k
Non-Paged: 17,088k
Pagefile Usage: 440MB
(The numbers might be slightly off because I recorded them as they were
changing!)
All of the SMTP messages in the Event Viewer (1000's of them) are of the
following three types:
Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4000
Date: 2/18/2004
Time: 7:48:54 PM
User: N/A
Computer: **********
Description:
Message delivery to the remote domain 'webrix.net' failed for the following
reason: Unable to bind to the destination server in DNS.
Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4006
Date: 2/18/2004
Time: 7:48:55 PM
User: N/A
Computer: **********
Description:
Message delivery to the host '218.38.12.28' failed while delivering to the
remote domain 'infocall.com' for the following reason: The remote server did
not respond to a connection attempt.
Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4007
Date: 2/18/2004
Time: 7:48:55 PM
User: N/A
Computer: **********
Description:
Message delivery to the host '69.73.164.217' failed while delivering to the
remote domain 'eag.com' for the following reason: The remote SMTP service
rejected AUTH negotiation.
The SMTP verb which caused the error is 'AUTH'. The response from the
remote server is '250-nitrogen.nocdirect.com Hello
mail.xxxxxxxx.com[207.36.181.122]
250-SIZE 52428800
250-PIPEL'.
Thanks for you help!
-Jonathan
"Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in message
news:Ox52nln9DHA.2416@TK2MSFTNGP10.phx.gbl...
> Jonathan, if I understood you correctly someone is trying to relay through
> your server. Remote party makes connection to your smtp port and issues
> (i.e.) RCPT TO:user@remote_domain.com. Your server is closed for relay
thus
> rejects the command, but inteinfo still consumes memory.
> If this is what you see there is not much you can do about it (due to the
> nature of SMTP protocol), however, if the connection request comes from a
> certain IP(s) you can black-list them. This is not a solution though
> because you can get under distributed attack...
> I'm interested in how much memory increase you see (the numbers) both in
VM
> and physical (and working set) and how much RAM do you have. Also at what
> point (after what command) you see mem increse. Limiting the number of
> connections to 10 is not a good idea - malicious party can open 10
> connections to your server and keep them alive by issuing NOOP every
> x-min... Legit parties will not be able to make a connections to your
> server, so you can treat this as self-inflicted DoS.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> "Jonathan" <info@periglobal.com> wrote in message
> news:ZnSYb.27456$ej7.24837@newssvr25.news.prodigy.com...
> box.
> as
look[color=blue]
hard[color=blue]
to[color=blue]
> a
eventually[color=blue]
>
>
| |
| Jonathan 2004-02-19, 5:35 am |
| Alexander,
Ok...I've done a little bit more research. Last night, "inetinfo.exe"
spiked at 225MB in memory, which crippled the websites on my server. I
noticed that if I stop the SMTP service, "inetinfo.exe" shrinks to 22MB...so
the problem is certainly related to SMTP! As far as logging goes, there's
something strange on my server...I am unable to set the "Active log format"
in the Virtual SMTP Server (the drop-down contains no items!)...all that I
am able to see is the basic command/responses. I've started black-listing
IPs that appears a significant amount of times in the log. Let me know if
you think of anything else.
Thanks a 1,000,000!
-Jonathan
"Jonathan" <info@periglobal.com> wrote in message
news:nUTYb.27485$9v.2847@newssvr25.news.prodigy.com...
> Alexander,
>
> Here's some more information regarding my situation:
>
>
> About 1 hour after SMTP/POP3 Services are started
>
> Mem Usage
> inetinfo.exe 173,380k
> POP3Svc.exe 2,864k
>
> Commit Charge: 437M / 1126M
>
> Physical Memory
> Total: 491,000k
> Available: 42,668k
> System Cache: 156,492k
>
> Kernel Memory
> Total: 63,608k
> Paged: 46,512k
> Non-Paged: 17,088k
>
> Pagefile Usage: 440MB
>
> (The numbers might be slightly off because I recorded them as they were
> changing!)
>
> All of the SMTP messages in the Event Viewer (1000's of them) are of the
> following three types:
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4000
> Date: 2/18/2004
> Time: 7:48:54 PM
> User: N/A
> Computer: **********
> Description:
> Message delivery to the remote domain 'webrix.net' failed for the
following
> reason: Unable to bind to the destination server in DNS.
>
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4006
> Date: 2/18/2004
> Time: 7:48:55 PM
> User: N/A
> Computer: **********
> Description:
> Message delivery to the host '218.38.12.28' failed while delivering to the
> remote domain 'infocall.com' for the following reason: The remote server
did
> not respond to a connection attempt.
>
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4007
> Date: 2/18/2004
> Time: 7:48:55 PM
> User: N/A
> Computer: **********
> Description:
> Message delivery to the host '69.73.164.217' failed while delivering to
the
> remote domain 'eag.com' for the following reason: The remote SMTP service
> rejected AUTH negotiation.
> The SMTP verb which caused the error is 'AUTH'. The response from the
> remote server is '250-nitrogen.nocdirect.com Hello
> mail.xxxxxxxx.com[207.36.181.122]
> 250-SIZE 52428800
> 250-PIPEL'.
>
>
> Thanks for you help!
>
>
> -Jonathan
>
>
> "Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in
message
> news:Ox52nln9DHA.2416@TK2MSFTNGP10.phx.gbl...
through[color=blue]
> thus
the[color=blue]
a[color=blue]
> VM
what[color=blue]
> rights.
grabs[color=blue]
extremely[color=blue]
> look
> hard
out-bound[color=blue]
usage[color=blue]
> to
> eventually
to[color=blue]
>
>
| |
| Alexander Nikolayev [MSFT] 2004-02-19, 10:35 am |
| Jonathan, your SMTPSVC is definitely under a heavy load. Your server does
not appear to be opened for relay, however, it could be that you have
compromised account(s) on your server that someone is taking advantage of.
Please check that you do not have GUEST account enabled and have no weak
passwords (including admin accounts) as well. Run AV check to verify no
trojans/viruses on the box. Do you know if anybody from your legit users is
actually sending mail to these domains (eag.com, nocdirect.com, etc)? These
entries look suspicious.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
"Jonathan" <info@periglobal.com> wrote in message
news:hx7Zb.27755$9k7.890@newssvr25.news.prodigy.com...
> Alexander,
>
> Ok...I've done a little bit more research. Last night, "inetinfo.exe"
> spiked at 225MB in memory, which crippled the websites on my server. I
> noticed that if I stop the SMTP service, "inetinfo.exe" shrinks to
22MB...so
> the problem is certainly related to SMTP! As far as logging goes, there's
> something strange on my server...I am unable to set the "Active log
format"
> in the Virtual SMTP Server (the drop-down contains no items!)...all that I
> am able to see is the basic command/responses. I've started black-listing
> IPs that appears a significant amount of times in the log. Let me know if
> you think of anything else.
>
> Thanks a 1,000,000!
>
> -Jonathan
>
>
> "Jonathan" <info@periglobal.com> wrote in message
> news:nUTYb.27485$9v.2847@newssvr25.news.prodigy.com...
> following
the[color=blue]
> did
> the
service[color=blue]
> message
> through
issues[color=blue]
relay[color=blue]
> the
from[color=blue]
> a
in[color=blue]
> what
of[color=blue]
Server[color=blue]
> grabs
> extremely
> out-bound
> usage
way[color=blue]
> to
>
>
| |
| Jonathan 2004-02-23, 2:33 pm |
| Alexander,
I'm not exactly sure what I did, but it seems that inetinfo.exe now
consumes only 15-30MB!!! I can now collect my hair and see if I can have it
transplanted back into my head. Thanks for the help!
"Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in message
news:usKqi9z9DHA.2316@TK2MSFTNGP11.phx.gbl...
> Jonathan, your SMTPSVC is definitely under a heavy load. Your server does
> not appear to be opened for relay, however, it could be that you have
> compromised account(s) on your server that someone is taking advantage of.
> Please check that you do not have GUEST account enabled and have no weak
> passwords (including admin accounts) as well. Run AV check to verify no
> trojans/viruses on the box. Do you know if anybody from your legit users
is
> actually sending mail to these domains (eag.com, nocdirect.com, etc)?
These
> entries look suspicious.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> "Jonathan" <info@periglobal.com> wrote in message
> news:hx7Zb.27755$9k7.890@newssvr25.news.prodigy.com...
"inetinfo.exe"[color=blue]
> 22MB...so
there's[color=blue]
> format"
I[color=blue]
black-listing[color=blue]
if[color=blue]
were[color=blue]
the[color=blue]
> the
server[color=blue]
to[color=blue]
> service
the[color=blue]
> issues
> relay
to[color=blue]
> from
though[color=blue]
both[color=blue]
> in
at[color=blue]
> of
your[color=blue]
> Server
I[color=blue]
pretty[color=blue]
of[color=blue]
> way
>
>
|
|
|
|
|