Blog Post

Exchange Team Blog
3 MIN READ

What can cause huge amounts of transaction logs to show up?

The_Exchange_Team's avatar
May 10, 2004

We have seen a lot of cases where we get calls reporting that the number of their transaction logs has grown exponentially in last day / few days. This can cause big issues, especially if the disk housing the transaction logs is not big enough to accommodate for this growth between online backups.

 

Here are a few things that are 1st to blame for unusually large amounts of transaction logs:

 

  1. Online maintenance - yes, during online maintenance, we move and shuffle data around within Exchange databases. That results in transactions that will then result in transaction logs being created. Of course - this log file growth would then happen mainly during the online maintenance period and not all day. This in most cases is not it, but it is a good thing to have in mind.

 

  1. Public folder replication - we have seen many cases where a bunch of replicas for public folders were created on a specific server and then transaction logs get "out of control". This is understandable, as the content has to actually arrive to the server, which will produce transactions. Sometimes administrators don't think to check this one or might not be aware of it, as the replica change is done in public folder hierarchy, so some other administrator on some other server might do it without telling anyone. :) Yup, saw a few of those… Since public folder replication messages are sent from public store to public store, the way to find out if this is your problem is opening up the message tracking log in Excel for example, and sorting by recipients. Search for recipients with an address of "SERVERNAME-IS@domain.com" which is the proxy address that the public folder store will get by default.

 

  1. Looping messages - this one can be different variations on the subject, but the bottom line is - messages are for some reason looping between Exchange server and some other email system / server. The easiest way to get this figured out is again though message tracking log. Now, this log is not too "human-friendly" to read, but if you sort it by recipients, you will be able to see if there is a specific mailbox or mailboxes that are just getting a TON of email comparing to others. SMTP logging might help too as you will see the actual SMTP verbs including who is sending messages to whom. Seeing that message looping is in many cases caused by rules (either on public folders or mailboxes) - turning up Diagnostics Logging on rules for both private and public stores can help identify this problem too.

 

  1. Open relay - if your server is an open relay, there will be tons of transaction logs. You will also usually see a bunch of items in the BADMAIL folder. The key here is of course, locking the server down so it is not an open relay anymore. :)

 

  1. Scanning the M: drive with file-level AV software - this is probably the most frequent culprit in this area and we have seen it a LOT… The bottom line is - scanning the M: drive with file-level Anti Virus software will actually modify those items in several ways. Item-level ACLs might change. "Last Modified" time will change. This results in sudden rush of MANY transaction logs as AV software is scanning. If the scanning is scheduled on a daily basis - then it will happen every day, on the clock. Obviously - the way to stop it is - stop scanning the M: drive with file-level AV software.

 

Some related KB articles:

 

246965 XADM: Message Tracking Logs Field Descriptions in Exchange 2000 Server

http://support.microsoft.com/?id=246965

 

257265 XCON: General Troubleshooting for Exchange 2000 Transport Issues

http://support.microsoft.com/?id=257265

 

310380 HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in Windows

http://support.microsoft.com/?id=310380

 

324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP

http://support.microsoft.com/?id=324958

 

328841 XADM: Exchange and Antivirus Software

http://support.microsoft.com/?id=328841

 

- Nino Bilic

Updated Jul 01, 2019
Version 2.0
  • I'll add another to the list:

    Moving maiboxes from server to server.
  • And another: any client induced process that gets cancelled. For example, a user attempts to import a large quantity of email from another account and the user is already over quota. Each import attempt will be cancelled by the server, but transaction logs will already have been created. If the user continues to attempt to import mail, it'll just result in more transaction logs being created.
  • Great points, Rick and Dave... both of those will definitely cause the log growth. The original list that I came up with are not necessarily the only reasons that will cause extensive transaction logging, but are the ones that we see the most in our calls :) I guess you ran into those 2 causes so - it will be interesting to see if there are some other cases that are more common too?
  • HOW TO: Remove the IFS Mapping for Drive M in Exchange 2000 Server
    http://support.microsoft.com/?id=305145

    I am surprised that this article is not already cross-referenced from every other article about the M: drive. It's gone by default in 2003 and it ought to be a Best Practice for every 2000 installation to remove it if they don't have a specific need for it.
  • Lets not forget psts! Moving a large amount of messages to a pst can create gobs[1]of logs.

    [1] Thats a technical term.
  • Regarding SMTP Relay, if your Relay Restrictions are set to Only the List Below, which is blank, and you have checked, Allow authenticated computers to relay..., then I see the server as set to not relay. However, what if an authorized computer gets hit with a mass-mailing virus? Will it use the Exchange SMTP server to relay? Can it in that case or do those threats always use their own SMTP engines?
  • It's true that if your Relay Restrictions are set to Only the List Below, which is blank, and you have checked, Allow authenticated computers to relay, then your server is considered Closed for Relay.

    But there are other ways your Server can be configured to become Open Relay.
    For example, if you have a SMTP connector with an address space of *, and this check box is checked at the bottom: "Allow messages to be relayed to these domains". Then this will make the server an Open Relay.

    Other common method Spammers / hackers use are enabled guest accounts, and crack the password for Administrator account.

    Once the mail is accepted by one server, it can relay to other servers. Also, if one server (e.g, SMTP gateway) becomes Open Relay, it can relay mail to internal servers if there are internal recipients (just as an example). Or it can relay to other SMTP gateways, if it sees it as a better route.

    (thanks to Mohammad Nadeem for this info)
  • What are some of the best ways to tell if your servers have been hacked with mass mailing viruses??