SMTP Queue's filling up

Posted on 2003-11-04
Last Modified: 2009-02-22
We are running exchange 2000. Our SMTP queues are filling up with what looks like spam. We are set up not to relay and from what we've read we are not forwarding these emails but exchange is trying to send out NDR's for these emails but the addresses are probably fake so they sit in our queue for 3 days till they are deleted. The problem is we have 10's of thousands of emails in our queue taking up space. My question is how can we prevent these emails from getting to our queue. Is there some setting in Exchange or do we have to use a 3rd party spam program. Any help would be appreciated.
Thank You
Question by:Tyler Tech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +3
LVL 10

Expert Comment

ID: 9680425
Everytime people ask this, I tell them it's a dictionary harvest attack and other people come on and yell about the sky falling and say your system has been compromised.

Just to satisfy those who are sure to come, please go to this link and check your relay:

Now, on to your problem.  You can identify the sender of these messages using your logs and keep them from connecting, if they don't change their IP, and they will.  Probably not a great solution.

Exchange happens to be a really bad Internet email gateway.  Deploying sendmail or something made for email routing might be a better idea.  You could even put IIS SMTP out there to help deal with the problem.

One strategy you could use is to limit the number of recipients.  This limit will make it harder to launch these attacks as a new SMTP session will have to be recreated once the recipient limit is reached.  

My best suggestion is to deploy a proper MTA between Exchange and the Internet.

LVL 35

Expert Comment

ID: 9681785
We have solved this problem by putting an SMTP Filter in front of the server (Filter listens on port 25 and forwards the mails to an internal port, so exchange will not longer listen on port 25). This filter is able to detect spam relay and rejects the mails without sending any NDR. This protects the server against some usual tricks used by spamers. One of these products is ie. McAfee SMTP Virus Scan or the newer McAfee Spam Filter. But there may be a lot of other tools doing the same.  

Expert Comment

ID: 9792515
Here are another couple of things to check:-

1)  The local Guest account may be enabled - allowing any credentials to successfully authenticate (therefore allowing them to relay)


2)  A compromized local account on the box (in some cases a domain account, but this machine was a member of the domain).

Check the local accounts on the box - reset passwords and ensure guest is disabled. If the machine is in a domain - check the guest account and all other accounts for suspicious activity.

Generally, I've been able to pin the issue down to a previous infection by Code Red (the IIS worm) - one of it payloads (in some versions) is enabling the guest account..

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 9974035
I have the very same problem here.

OneHump: Do you recommend a way to deploy a proper MTA? What do you think of third party products like GI MailEssentials?

Bembi: I don't see how your solution is preventing NDR's. Isn't the filter forwarding every email to your Exchange server?

LVL 35

Expert Comment

ID: 10081500
mehranalmasi: The sense of a filter is to filter, means, only mails, which are passing the filter a delivered, others are rejected and you can disable sending NDRs for rejected mails. The filter accepts mail relay, destroys the mail and nobody gets any NDR.

Expert Comment

ID: 10081738
i'd like to have something clarified please. and maybe i am just misunderstanding the context filter is being used in here, but:

..."and you can disable sending NDRs for rejected mails",

by that do you mean only the NDRs that are generated due to filter restrictions can be turned off?  all other NDRs such as exceeding set message size limit , or mail to a non existent mailbox would still be generated? or did you mean just turning off all NDRs in general?

if one can turn off NDRs just from filter rejected mails i'd certainly like to know how.

Thanks in advance!
LVL 35

Expert Comment

ID: 10082072
No, off course, turning off sending NDRs for filtered mails will only affect excactly these mails. All other NDRs will of couse reach their recipients.

How to do it:
In Exchange, have a look at "Global settings" - Message Transfer - Properties - Filter. There you have a senders filter and can disable sending NDRs for filtered mails.
The filter options are a little bit enhanced in EXCH 2003.
Within ISA Server, you have an additional SMTP Filter.
Other filters with options do disable NDRs for filtered mails are GFI Mail Security or McAfee SMTP WebShield

Expert Comment

ID: 10082164
we do have 2003, and i tried to follow your instructions but being that it is somewhat different i cannot find that specific area. could you give instructions on how to turn off NDRs for filter rejected messages in 2003 please?

Thanks in advance!
LVL 35

Expert Comment

ID: 10082911
- Exchange Management Console
- Global Settings
- Message Transfer (second line) - right click - properties
You find three filters there
1. sender filter
2. connection filter (for blacklists)
3. recipient filter

for the sender filter, you can either select "reject connection" or "accept message, but do not inform sender" at the bottom of the dialog.

(Note: the descriptions are translated as my system is german, may be they are a little bit different).

Expert Comment

ID: 10083083
ok we checked "drop connection if address matches filter". the other options is actually grayed out so we're not able to check it.

 so this should stop NDRs being sent for messages that are getting rejected due to filter restrictions then?

btw the only thing that's translated differently is "message transfer" is called "message delivery".

thanks for the instructions!
LVL 35

Expert Comment

ID: 10083142
The option is grayed out, because you have selected "drop connection". Disable it and you can select the other option.

This setting affects NDRs, produced by the sender filter, if it affects the other two filters, I'm not sure, but I think it is easy to check out by using a web mailer. But it will definitely not affect NDRs, which are produced by other restrictions or errors

Expert Comment

ID: 10083592
sorry to be such a pest.

but while looking around in that area i also came across another setting i am interested in. under the "recipient filtering" tab is a check mark labled "filter receipients who are not in the directory".

does this mean someone trying to send a message to an account that is no longer in the AD it would not even receive the message let alone create an NDR? we have quite a few accounts that get deleted due to the employee leaving. but they got on some message list and now we continue to get NDRs. i was hoping marking that check mark should stop the message from making it to the server let alone an NDR being created? if that is not the case here, IS there a setting elsewhere in 2003 that would stop NDRs from being generated for old accounts that are no longer valid or even accounts that never existed?
LVL 35

Expert Comment

ID: 10084092
Not sure if you can block these NDRs, my 2003 Server is a backend server, therefore hadn't checked out yet. But mark this option and send a mail from a web mailer like GMX to your server addressing one of your old accounts, there you can see if you get an NDR.

Expert Comment

ID: 10085237
This option results in a 5xx error code being returned to the calling MTA - NDR'ing the message there (as opposed to the Exchange Server acceptiong the message - and then NDR'ing when it fails to locate the mailbox to deliver to).

I don't like this option - as it allowes spammers to 'harvest' your domain for email addresses..

Better to use the Recipient Filters for departed email addresses - and configure that to not send an NDR.. I also ann the SMTP alias to an internal mail enabled public folder - just so that if anybody tries to add the alias back they get the error 'EMail Address already exists'..

Accepted Solution

ErikKnepfler earned 125 total points
ID: 10556847
>Better to use the Recipient Filters for departed email addresses - and configure that to not send an NDR

If it was there in 2000, I think they've killed it in Exchange 2003.  You can't tell it to not send NDRs only if a certain filter is activated.  I really want to ONLY send an NDR only if the sender is authenticated.

I can disable NDRs entirely under Global Settings > Message Formats, even on a per domain basis (the default domain is *).

I'm thinking to create two Internet Message Format rules: and *.  Our Domain would be configured to NOT generate NDRs.  So, the millions of incoming spam attempts to old accounts would not generate them.  Then, * would be configured to allow NDRs.

Would * override, or vice versa?  If it worked as expected, there would still be the problem that if an internal, authenticated user mis-addressed a message to another internal user, they'd never get an NDR.  This shouldn't be an issue because they're all using Outlook and utilize the GAL and Check Names feature so it's checked before it even leaves.  

So, this should work.  To summarize:  NDRs would be enabled on the * domain, but not on  Outlook client would ensure recipient validity prior to sending for internal messages.  NDRs would only be sent if the message is addressed to someone on an external domain, and the only people allowed to email that is... authenticatd users!

An added bonus of this is, if you suddenly do see a bunch of NDRs, you know that a client or username has been compromised.

I just tried this - and it seems to work!  My server quit generating 5 NDRs per minute from the moment I enabled this.  One curious thing though - attempts to send from an authenticated Outlook user to still results in an NDR!  I think this is because these local messages are routed differently because it's all internal, and those Internet Message Format rules never kick in.  I can't be sure though.


Expert Comment

ID: 10707220
Just a follow up on my accepted answer.

I later didn't think this was working after I tried it.  Message Tracking would show that the Postmaster is still sending hundreds of NDRs per hour.

However, on closer inspection, if you look at the Message History (by clicking the tracking log entry) you'll notice that the NDR messages go only two steps in - as far as SMTP:  Message submitted to categorizer - and they die there.

Somewhere else probably has a log indicating that they were dropped and why (due to the rule in place) but I'm not sure where that is.

RJLSB - could you please elaborate for everyone exactly what you did, and how it worked out?

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question