Tyler Tech
asked on
SMTP Queue's filling up
We are running exchange 2000. Our SMTP queues are filling up with what looks like spam. We are set up not to relay and from what we've read we are not forwarding these emails but exchange is trying to send out NDR's for these emails but the addresses are probably fake so they sit in our queue for 3 days till they are deleted. The problem is we have 10's of thousands of emails in our queue taking up space. My question is how can we prevent these emails from getting to our queue. Is there some setting in Exchange or do we have to use a 3rd party spam program. Any help would be appreciated.
Thank You
Thank You
We have solved this problem by putting an SMTP Filter in front of the server (Filter listens on port 25 and forwards the mails to an internal port, so exchange will not longer listen on port 25). This filter is able to detect spam relay and rejects the mails without sending any NDR. This protects the server against some usual tricks used by spamers. One of these products is ie. McAfee SMTP Virus Scan or the newer McAfee Spam Filter. But there may be a lot of other tools doing the same.
Here are another couple of things to check:-
1) The local Guest account may be enabled - allowing any credentials to successfully authenticate (therefore allowing them to relay)
or
2) A compromized local account on the box (in some cases a domain account, but this machine was a member of the domain).
Check the local accounts on the box - reset passwords and ensure guest is disabled. If the machine is in a domain - check the guest account and all other accounts for suspicious activity.
Generally, I've been able to pin the issue down to a previous infection by Code Red (the IIS worm) - one of it payloads (in some versions) is enabling the guest account..
Michael.
1) The local Guest account may be enabled - allowing any credentials to successfully authenticate (therefore allowing them to relay)
or
2) A compromized local account on the box (in some cases a domain account, but this machine was a member of the domain).
Check the local accounts on the box - reset passwords and ensure guest is disabled. If the machine is in a domain - check the guest account and all other accounts for suspicious activity.
Generally, I've been able to pin the issue down to a previous infection by Code Red (the IIS worm) - one of it payloads (in some versions) is enabling the guest account..
Michael.
I have the very same problem here.
OneHump: Do you recommend a way to deploy a proper MTA? What do you think of third party products like GI MailEssentials?
Bembi: I don't see how your solution is preventing NDR's. Isn't the filter forwarding every email to your Exchange server?
Mehran
OneHump: Do you recommend a way to deploy a proper MTA? What do you think of third party products like GI MailEssentials?
Bembi: I don't see how your solution is preventing NDR's. Isn't the filter forwarding every email to your Exchange server?
Mehran
mehranalmasi: The sense of a filter is to filter, means, only mails, which are passing the filter a delivered, others are rejected and you can disable sending NDRs for rejected mails. The filter accepts mail relay, destroys the mail and nobody gets any NDR.
bembi:
i'd like to have something clarified please. and maybe i am just misunderstanding the context filter is being used in here, but:
..."and you can disable sending NDRs for rejected mails",
by that do you mean only the NDRs that are generated due to filter restrictions can be turned off? all other NDRs such as exceeding set message size limit , or mail to a non existent mailbox would still be generated? or did you mean just turning off all NDRs in general?
if one can turn off NDRs just from filter rejected mails i'd certainly like to know how.
Thanks in advance!
i'd like to have something clarified please. and maybe i am just misunderstanding the context filter is being used in here, but:
..."and you can disable sending NDRs for rejected mails",
by that do you mean only the NDRs that are generated due to filter restrictions can be turned off? all other NDRs such as exceeding set message size limit , or mail to a non existent mailbox would still be generated? or did you mean just turning off all NDRs in general?
if one can turn off NDRs just from filter rejected mails i'd certainly like to know how.
Thanks in advance!
No, off course, turning off sending NDRs for filtered mails will only affect excactly these mails. All other NDRs will of couse reach their recipients.
How to do it:
In Exchange, have a look at "Global settings" - Message Transfer - Properties - Filter. There you have a senders filter and can disable sending NDRs for filtered mails.
The filter options are a little bit enhanced in EXCH 2003.
Within ISA Server, you have an additional SMTP Filter.
Other filters with options do disable NDRs for filtered mails are GFI Mail Security or McAfee SMTP WebShield
How to do it:
In Exchange, have a look at "Global settings" - Message Transfer - Properties - Filter. There you have a senders filter and can disable sending NDRs for filtered mails.
The filter options are a little bit enhanced in EXCH 2003.
Within ISA Server, you have an additional SMTP Filter.
Other filters with options do disable NDRs for filtered mails are GFI Mail Security or McAfee SMTP WebShield
we do have 2003, and i tried to follow your instructions but being that it is somewhat different i cannot find that specific area. could you give instructions on how to turn off NDRs for filter rejected messages in 2003 please?
Thanks in advance!
Thanks in advance!
- Exchange Management Console
- Global Settings
- Message Transfer (second line) - right click - properties
You find three filters there
1. sender filter
2. connection filter (for blacklists)
3. recipient filter
for the sender filter, you can either select "reject connection" or "accept message, but do not inform sender" at the bottom of the dialog.
(Note: the descriptions are translated as my system is german, may be they are a little bit different).
- Global Settings
- Message Transfer (second line) - right click - properties
You find three filters there
1. sender filter
2. connection filter (for blacklists)
3. recipient filter
for the sender filter, you can either select "reject connection" or "accept message, but do not inform sender" at the bottom of the dialog.
(Note: the descriptions are translated as my system is german, may be they are a little bit different).
ok we checked "drop connection if address matches filter". the other options is actually grayed out so we're not able to check it.
so this should stop NDRs being sent for messages that are getting rejected due to filter restrictions then?
btw the only thing that's translated differently is "message transfer" is called "message delivery".
thanks for the instructions!
so this should stop NDRs being sent for messages that are getting rejected due to filter restrictions then?
btw the only thing that's translated differently is "message transfer" is called "message delivery".
thanks for the instructions!
The option is grayed out, because you have selected "drop connection". Disable it and you can select the other option.
This setting affects NDRs, produced by the sender filter, if it affects the other two filters, I'm not sure, but I think it is easy to check out by using a web mailer. But it will definitely not affect NDRs, which are produced by other restrictions or errors
This setting affects NDRs, produced by the sender filter, if it affects the other two filters, I'm not sure, but I think it is easy to check out by using a web mailer. But it will definitely not affect NDRs, which are produced by other restrictions or errors
sorry to be such a pest.
but while looking around in that area i also came across another setting i am interested in. under the "recipient filtering" tab is a check mark labled "filter receipients who are not in the directory".
does this mean someone trying to send a message to an account that is no longer in the AD it would not even receive the message let alone create an NDR? we have quite a few accounts that get deleted due to the employee leaving. but they got on some message list and now we continue to get NDRs. i was hoping marking that check mark should stop the message from making it to the server let alone an NDR being created? if that is not the case here, IS there a setting elsewhere in 2003 that would stop NDRs from being generated for old accounts that are no longer valid or even accounts that never existed?
but while looking around in that area i also came across another setting i am interested in. under the "recipient filtering" tab is a check mark labled "filter receipients who are not in the directory".
does this mean someone trying to send a message to an account that is no longer in the AD it would not even receive the message let alone create an NDR? we have quite a few accounts that get deleted due to the employee leaving. but they got on some message list and now we continue to get NDRs. i was hoping marking that check mark should stop the message from making it to the server let alone an NDR being created? if that is not the case here, IS there a setting elsewhere in 2003 that would stop NDRs from being generated for old accounts that are no longer valid or even accounts that never existed?
Not sure if you can block these NDRs, my 2003 Server is a backend server, therefore hadn't checked out yet. But mark this option and send a mail from a web mailer like GMX to your server addressing one of your old accounts, there you can see if you get an NDR.
This option results in a 5xx error code being returned to the calling MTA - NDR'ing the message there (as opposed to the Exchange Server acceptiong the message - and then NDR'ing when it fails to locate the mailbox to deliver to).
I don't like this option - as it allowes spammers to 'harvest' your domain for email addresses..
Better to use the Recipient Filters for departed email addresses - and configure that to not send an NDR.. I also ann the SMTP alias to an internal mail enabled public folder - just so that if anybody tries to add the alias back they get the error 'EMail Address already exists'..
I don't like this option - as it allowes spammers to 'harvest' your domain for email addresses..
Better to use the Recipient Filters for departed email addresses - and configure that to not send an NDR.. I also ann the SMTP alias to an internal mail enabled public folder - just so that if anybody tries to add the alias back they get the error 'EMail Address already exists'..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just a follow up on my accepted answer.
I later didn't think this was working after I tried it. Message Tracking would show that the Postmaster is still sending hundreds of NDRs per hour.
However, on closer inspection, if you look at the Message History (by clicking the tracking log entry) you'll notice that the NDR messages go only two steps in - as far as SMTP: Message submitted to categorizer - and they die there.
Somewhere else probably has a log indicating that they were dropped and why (due to the rule in place) but I'm not sure where that is.
RJLSB - could you please elaborate for everyone exactly what you did, and how it worked out?
I later didn't think this was working after I tried it. Message Tracking would show that the Postmaster is still sending hundreds of NDRs per hour.
However, on closer inspection, if you look at the Message History (by clicking the tracking log entry) you'll notice that the NDR messages go only two steps in - as far as SMTP: Message submitted to categorizer - and they die there.
Somewhere else probably has a log indicating that they were dropped and why (due to the rule in place) but I'm not sure where that is.
RJLSB - could you please elaborate for everyone exactly what you did, and how it worked out?
Just to satisfy those who are sure to come, please go to this link and check your relay:
http://msv.dk/ms009.asp
Now, on to your problem. You can identify the sender of these messages using your logs and keep them from connecting, if they don't change their IP, and they will. Probably not a great solution.
Exchange happens to be a really bad Internet email gateway. Deploying sendmail or something made for email routing might be a better idea. You could even put IIS SMTP out there to help deal with the problem.
One strategy you could use is to limit the number of recipients. This limit will make it harder to launch these attacks as a new SMTP session will have to be recreated once the recipient limit is reached.
My best suggestion is to deploy a proper MTA between Exchange and the Internet.
OneHump