Mail Storm Detection Script
One of the common scenario’s I have seen @ customer locations is when a customer exchange Transport servers have a very large volumes of messages queued and they don’t seem to be processing. Even though the queues are in an Active State they continue to grow and no warnings or errors are generated. This scenario is what we refer to as a Mail Storm.
A Mail Storm occurs when Exchange cannot process the mail it has queued fast enough to also deal with the incoming load. The queues will show from thousands of messages destined for various or single recipients. You may see all, or any combination of following queues backed up: Submission, Local or Remote Delivery Queues. The basic, overall symptom is that while you do see some mail processing, you will also see these queues continue to grow. You can think of this as a situation where more load is put on a Exchange Server than it's suppose to handle, i.e. an overloaded Exchange Server .
There are numerous things that can cause a Mail Storm. Here is a quick list of some of the more prevalent ones:
-A Spam attack or Open Relay within your Organization: Spammers aren’t nice people. If you unwittingly leave an Open Relay that is discovered you can expect hundreds of thousands of spam messages to be bounced off your servers. Also, always make sure your Spam definitions are up to date on whatever type of prevention system you are using.
-A looping message: A misconfigured Outlook Rule, Contact or Transport configuration is often the cause. A quick look at the actual messages in the queue usually determines if this is the case.
-A Public Folder Replication Storm: In an Organization with a large number of Public Folders, if a new Public Folder Store is brought up with replicas added then data is going to be sent via email.
-An unknown internal application sending mass amounts of mail: Even in some of the best IT departments I have worked with, sometimes an eager developer can configure an application that starts flooding the Exchange Server.
I recently released a script that would help administrators to identify Mail Storms. The script parses the Message Tracking Logs files for the last 30 minutes from all requested HT Servers and then generates a count for
messages with the same Subject Line/Sender information. If the message count is above the defined threshold number (configured in the script) message details are sent as part of a report to the Admins.
Hope this help…