<

Why are my outbound queues filling up with mail I didn't send

Published on
108,574 Points
13,474 Views
26 Endorsements
Last Modified:
Awarded
Community Pick
If your emails are building up on your Exchange 2003 server and you don’t recognise any of the destination address then you have got a problem and need to resolve it.   To work out what your problem is, please double-click into one of the unknown domain name queues, then click on the Find Now button and then double-click into one of the messages that are returned.

Look at the sender of the message.  If the sender is postmaster@yourdomain.com, you are suffering from a Non Delivery Attack.  If the sender is a random user not in your organisation, then you are suffering from an Authenticated Relay attack.

Non Delivery Attack:

To prevent a Non-Delivery Attack, please turn on Recipient Filtering to reject recipients not in your organisation:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

The reason for this is that you are currently accepting messages for anyone at your company, even made up names.  If the recipient does not exist, your server is sending a Non-Delivery Report back to the sending email address and as spammers usually make up the sender address, the email message will not be able to go anywhere as the domain is invalid.  Some of the email addresses that spammers use will be valid email addresses and thus some Non-Delivery report mail will get sent out to people who did not send an email to you in the first place and they will potentially report you as a spammer.  Mail of this type is known as Backscatter and this can get you Blacklisted.  Please see  http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more details.

If you also turn on Recipient Filtering, your server will reject recipients that are not setup on your server and the sending mail server will be responsible for sending a Non Delivery Report, not your server, thus shifting the problem back onto the spammer - http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

Another tool that you can use to slow down spammers is to implement something called Tarpitting which forces a delay into the mail-flow process for anyone sending mail to an invalid address on your server.  This means that anyone targetting your server will spend lots of time waiting for a response from your server, slowing them down - http://support.microsoft.com/kb/842851

Authenticated Relay Attack:

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp

Once you have cleaned up – please return the logging level back to None
26
Comment
  • 7
  • 2
  • 2
  • +6
17 Comments
LVL 23

Expert Comment

by:Malli Boppe
Great Article
0
LVL 23

Expert Comment

by:Malli Boppe
Is this applicable to exchange 2007 as well.
0
LVL 76

Author Comment

by:Alan Hardisty
There are parts that are relevant to Exchange 2007, but not all of it.

The sender details (postmaster or random) and thus the NDR spam / Open or Authenticated Relay issues are relevant to all Exchange versions, but the solution for 2007 will be different.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 1

Expert Comment

by:SeanNij
Great!!!
0

Expert Comment

by:Bran-Damage
Great article!  Any reason why their would be nothing in the Event Viewer application log after doing the steps above for Authenticated Relay Attack?
0
LVL 76

Author Comment

by:Alan Hardisty
@Bran-Damage - I presume you are referring to the Security Event Log?

If that is the case, then it may not be an Authenticated Relay Attack. You may have a virus on your network abusing your Exchange server.  I have seen this at a customer's site before.

I would install a 30-day trial of Vamsoft ORF (in log mode only) and monitor the logs to see what is happening.  That should help to narrow down an account if you are an Authenticated Realy, but if not, then check the Blacklists and see why you are listed.  From there you can formulate a plan to stop the attack.

www.mxtoolbox.com/blacklists.aspx

Also - if you found the article useful - please don't forget to vote for it : )
0

Expert Comment

by:Les Finch
Wish I had this article earlier. Now the next customer that gets hacked won't keep me up all night clearing the queuesso  to keep the server up.
0
LVL 76

Author Comment

by:Alan Hardisty
If you want to clear the queues very quickly - use aqadmcli.exe:

ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe
0
LVL 9

Expert Comment

by:samiam41
Had a hard time listening to your article over your awesomeness.  Great work!  I will save this article for the next Exchange battle I enter.  Thanks!
0
LVL 76

Author Comment

by:Alan Hardisty
Sorry!  I'll try to crank up the article volume for you ;)

Alan
0

Expert Comment

by:Les Finch
I have found the quickest way to delete the smtp queue is to create a batch file on the desktop with the following contents

===============================================
echo
echo delete the queue emails
net stop smtpsvc
d: <<<<<<< change to suite
cd "\program files"
cd exchsrvr\mailroot\vsi 1\queue
rem pause
del *.* <c:\yes.txt  <<<<< need a file called yes.txt that contains y<CR> in root directory of C:

net start smtpsvc
rem pause
==========================================================

this is assuming the queue in on the D: drive. Change to suite. Also you need to create a file c:\yes.txt which contains y<CR> only.
If there are a lot of files in the queue the service may not stop. in this case bring up taskmgr and kill inetinfo.exe. Then run the patch file.
0
LVL 76

Author Comment

by:Alan Hardisty
The problem with your option is that it may also delete valid emails.  With the aqadmcli.exe tool, it allows you to quickly zap only the bogus emails and not the genuine ones.
0

Expert Comment

by:andersonaraujo
This post is very useful and clear. It helped me a lot. Good job Alan Hardisty!!!
0
LVL 76

Author Comment

by:Alan Hardisty
0

Expert Comment

by:ITNESPEO
This article is SO well written that I, a non-systems person, was able to follow it, gather information, and stop an authenticated relay attack while I waited for our IT consultant to become available.  Many, many thanks, Alan Hardisty!
0

Expert Comment

by:Ergs
Hi Alan... you put a smile on my face when I see you get involved.

Excellent,  concise, complete information as per usual. I added the email address to "Senders Filtering" - "Senders" list and emails have seemed to stop, filtering was already enabled - not sure if this is a problem.

Also I was doing the telnet test and I get asked for a logon? I did try the Administrator account
0
LVL 76

Author Comment

by:Alan Hardisty
Hi Ergs,

Many thanks for your kind comments - they are much appreciated and compel me to keep helping out on EE.

The Sender Address is most likely going to change, so adding one may only stem the flow for now, but it won't hold back the tide for ever.

Do you want to post in your question and I will reply in there?

Are you seeing mail from postmaster or random sender @ random domain?

Alan
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Check How effective MS Exchange Expert thinks Exchange Mailbox Recovery by SysTools IS. Visit the Official site to get detailed information:- https://www.systoolsgroup.com/exchange-recovery.html (https://www.systoolsgroup.com/exchange-recovery.h…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month