I've just successfully setup POP3 & SMTP services on my Win2003 Server box.
After these services are started, slowly but surely "inetinfo.exe" grabs as
much memory as it can.  This is strange as my server serves an extremely
small email user-base as well as a couple low-traffic sites.  When I look
into the Event Viewer I noticed that my server is getting hit pretty hard
with requests to send email (not my clients); both in-bound & out-bound
servers are password protected, so unless the user successfully
authenticates the request is rejected.  I have limited the number of
connections to my mailserver to "10" in an attempt to keep memory usage to a
minimum.  This seemed to slow the mad rush to usurp memory, but eventually
"inetinfo.exe" still walks away with a hefty chunk.  Is there any way to
limit this?

[ Post a follow-up to this message ]

Jonathan, if I understood you correctly someone is trying to relay through
your server.  Remote party makes connection to your smtp port and issues
(i.e.) RCPT TO:user@remote_domain.com.  Your server is closed for relay thus
rejects the command, but inteinfo still consumes memory.
If this is what you see there is not much you can do about it (due to the
nature of SMTP protocol), however, if the connection request comes from a
certain IP(s) you can black-list them.  This is not a solution though
because you can get under distributed attack...
I'm interested in how much memory increase you see (the numbers) both in VM
and physical (and working set) and how much RAM do you have.  Also at what
point (after what command) you see mem increse.  Limiting the number of
connections to 10 is not a good idea - malicious party can open 10
connections to your server and keep them alive by issuing NOOP every
x-min... Legit parties will not be able to make a connections to your
server, so you can treat this as self-inflicted DoS.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias.  This alias is for
newsgroup purposes only.
"Jonathan" <info@periglobal.com> wrote in message
news:ZnSYb.27456$ej7.24837@newssvr25.news.prodigy.com...
> I've just successfully setup POP3 & SMTP services on my Win2003 Server
box.
> After these services are started, slowly but surely "inetinfo.exe" grabs
as
> much memory as it can.  This is strange as my server serves an extremely
> small email user-base as well as a couple low-traffic sites.  When I look
> into the Event Viewer I noticed that my server is getting hit pretty hard
> with requests to send email (not my clients); both in-bound & out-bound
> servers are password protected, so unless the user successfully
> authenticates the request is rejected.  I have limited the number of
> connections to my mailserver to "10" in an attempt to keep memory usage to
a
> minimum.  This seemed to slow the mad rush to usurp memory, but eventually
> "inetinfo.exe" still walks away with a hefty chunk.  Is there any way to
> limit this?
>
>

[ Post a follow-up to this message ]

Alexander,

Here's some more information regarding my situation:


About 1 hour after SMTP/POP3 Services are started

Mem Usage
inetinfo.exe  173,380k
POP3Svc.exe     2,864k

Commit Charge: 437M / 1126M

Physical Memory
Total: 491,000k
Available: 42,668k
System Cache: 156,492k

Kernel Memory
Total: 63,608k
Paged: 46,512k
Non-Paged: 17,088k

Pagefile Usage: 440MB

(The numbers might be slightly off because I recorded them as they were
changing!)

All of the SMTP messages in the Event Viewer (1000's of them) are of the
following three types:

Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4000
Date:  2/18/2004
Time:  7:48:54 PM
User:  N/A
Computer: **********
Description:
Message delivery to the remote domain 'webrix.net' failed for the following
reason: Unable to bind to the destination server in DNS.


Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4006
Date:  2/18/2004
Time:  7:48:55 PM
User:  N/A
Computer: **********
Description:
Message delivery to the host '218.38.12.28' failed while delivering to the
remote domain 'infocall.com' for the following reason: The remote server did
not respond to a connection attempt.


Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4007
Date:  2/18/2004
Time:  7:48:55 PM
User:  N/A
Computer: **********
Description:
Message delivery to the host '69.73.164.217' failed while delivering to the
remote domain 'eag.com' for the following reason: The remote SMTP service
rejected AUTH negotiation.
The SMTP verb which caused the error is 'AUTH'.  The response from the
remote server is '250-nitrogen.nocdirect.com Hello
mail.xxxxxxxx.com[207.36.181.122]
250-SIZE 52428800
250-PIPEL'.


Thanks for you help!


-Jonathan


"Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in message
news:Ox52nln9DHA.2416@TK2MSFTNGP10.phx.gbl...
> Jonathan, if I understood you correctly someone is trying to relay through
> your server.  Remote party makes connection to your smtp port and issues
> (i.e.) RCPT TO:user@remote_domain.com.  Your server is closed for relay
thus
> rejects the command, but inteinfo still consumes memory.
> If this is what you see there is not much you can do about it (due to the
> nature of SMTP protocol), however, if the connection request comes from a
> certain IP(s) you can black-list them.  This is not a solution though
> because you can get under distributed attack...
> I'm interested in how much memory increase you see (the numbers) both in
VM
> and physical (and working set) and how much RAM do you have.  Also at what
> point (after what command) you see mem increse.  Limiting the number of
> connections to 10 is not a good idea - malicious party can open 10
> connections to your server and keep them alive by issuing NOOP every
> x-min... Legit parties will not be able to make a connections to your
> server, so you can treat this as self-inflicted DoS.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias.  This alias is for
> newsgroup purposes only.
> "Jonathan" <info@periglobal.com> wrote in message
> news:ZnSYb.27456$ej7.24837@newssvr25.news.prodigy.com... 
> box. 
> as 
look 
hard 
to
> a 
eventually 
>
>

[ Post a follow-up to this message ]

Alexander,

Ok...I've done a little bit more research.  Last night, "inetinfo.exe"
spiked at 225MB in memory, which crippled the websites on my server.  I
noticed that if I stop the SMTP service, "inetinfo.exe" shrinks to 22MB...so
the problem is certainly related to SMTP!  As far as logging goes, there's
something strange on my server...I am unable to set the "Active log format"
in the Virtual SMTP Server (the drop-down contains no items!)...all that I
am able to see is the basic command/responses.  I've started black-listing
IPs that appears a significant amount of times in the log.  Let me know if
you think of anything else.

Thanks a 1,000,000!

-Jonathan


"Jonathan" <info@periglobal.com> wrote in message
news:nUTYb.27485$9v.2847@newssvr25.news.prodigy.com...
> Alexander,
>
>     Here's some more information regarding my situation:
>
>
> About 1 hour after SMTP/POP3 Services are started
>
> Mem Usage
> inetinfo.exe  173,380k
> POP3Svc.exe     2,864k
>
> Commit Charge: 437M / 1126M
>
> Physical Memory
> Total: 491,000k
> Available: 42,668k
> System Cache: 156,492k
>
> Kernel Memory
> Total: 63,608k
> Paged: 46,512k
> Non-Paged: 17,088k
>
> Pagefile Usage: 440MB
>
> (The numbers might be slightly off because I recorded them as they were
> changing!)
>
> All of the SMTP messages in the Event Viewer (1000's of them) are of the
> following three types:
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4000
> Date:  2/18/2004
> Time:  7:48:54 PM
> User:  N/A
> Computer: **********
> Description:
> Message delivery to the remote domain 'webrix.net' failed for the
following
> reason: Unable to bind to the destination server in DNS.
>
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4006
> Date:  2/18/2004
> Time:  7:48:55 PM
> User:  N/A
> Computer: **********
> Description:
> Message delivery to the host '218.38.12.28' failed while delivering to the
> remote domain 'infocall.com' for the following reason: The remote server
did
> not respond to a connection attempt.
>
>
> Event Type: Warning
> Event Source: smtpsvc
> Event Category: None
> Event ID: 4007
> Date:  2/18/2004
> Time:  7:48:55 PM
> User:  N/A
> Computer: **********
> Description:
> Message delivery to the host '69.73.164.217' failed while delivering to
the
> remote domain 'eag.com' for the following reason: The remote SMTP service
> rejected AUTH negotiation.
>  The SMTP verb which caused the error is 'AUTH'.  The response from the
> remote server is '250-nitrogen.nocdirect.com Hello
> mail.xxxxxxxx.com[207.36.181.122]
> 250-SIZE 52428800
> 250-PIPEL'.
>
>
> Thanks for you help!
>
>
> -Jonathan
>
>
> "Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in
message
> news:Ox52nln9DHA.2416@TK2MSFTNGP10.phx.gbl... 
through 
> thus 
the 
a 
> VM 
what 
> rights. 
grabs 
extremely 
> look 
> hard 
out-bound 
usage
> to 
> eventually 
to 
>
>

[ Post a follow-up to this message ]

Jonathan, your SMTPSVC is definitely under a heavy load.  Your server does
not appear to be opened for relay, however, it could be that you have
compromised account(s) on your server that someone is taking advantage of.
Please check that you do not have GUEST account enabled and have no weak
passwords (including admin accounts) as well.  Run AV check to verify no
trojans/viruses on the box.  Do you know if anybody from your legit users is
actually sending mail to these domains (eag.com, nocdirect.com, etc)?  These
entries look suspicious.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias.  This alias is for
newsgroup purposes only.
"Jonathan" <info@periglobal.com> wrote in message
news:hx7Zb.27755$9k7.890@newssvr25.news.prodigy.com...
> Alexander,
>
>     Ok...I've done a little bit more research.  Last night, "inetinfo.exe"
> spiked at 225MB in memory, which crippled the websites on my server.  I
> noticed that if I stop the SMTP service, "inetinfo.exe" shrinks to
22MB...so
> the problem is certainly related to SMTP!  As far as logging goes, there's
> something strange on my server...I am unable to set the "Active log
format"
> in the Virtual SMTP Server (the drop-down contains no items!)...all that I
> am able to see is the basic command/responses.  I've started black-listing
> IPs that appears a significant amount of times in the log.  Let me know if
> you think of anything else.
>
> Thanks a 1,000,000!
>
> -Jonathan
>
>
> "Jonathan" <info@periglobal.com> wrote in message
> news:nUTYb.27485$9v.2847@newssvr25.news.prodigy.com... 
> following 
the 
> did 
> the 
service 
> message 
> through 
issues 
relay 
> the 
from
> a 
in 
> what 
of 
Server 
> grabs 
> extremely 
> out-bound 
> usage 
way
> to 
>
>

[ Post a follow-up to this message ]

Alexander,

I'm not exactly sure what I did, but it seems that inetinfo.exe now
consumes only 15-30MB!!!  I can now collect my hair and see if I can have it
transplanted back into my head.  Thanks for the help!


"Alexander Nikolayev [MSFT]" <alexni@online.microsoft.com> wrote in message
news:usKqi9z9DHA.2316@TK2MSFTNGP11.phx.gbl...
> Jonathan, your SMTPSVC is definitely under a heavy load.  Your server does
> not appear to be opened for relay, however, it could be that you have
> compromised account(s) on your server that someone is taking advantage of.
> Please check that you do not have GUEST account enabled and have no weak
> passwords (including admin accounts) as well.  Run AV check to verify no
> trojans/viruses on the box.  Do you know if anybody from your legit users
is
> actually sending mail to these domains (eag.com, nocdirect.com, etc)?
These
> entries look suspicious.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias.  This alias is for
> newsgroup purposes only.
> "Jonathan" <info@periglobal.com> wrote in message
> news:hx7Zb.27755$9k7.890@newssvr25.news.prodigy.com... 
"inetinfo.exe" 
> 22MB...so 
there's 
> format" 
I 
black-listing 
if 
were 
the 
> the 
server 
to 
> service 
the 
> issues 
> relay 
to 
> from 
though 
both
> in 
at 
> of 
your 
> Server 
I 
pretty 
of 
> way 
>
>

[ Post a follow-up to this message ]