Multiple bogus emails in my Exchange 2003 smtp outgoing queue

I have a server with Windows 2000 and Exchange 2000 server installed. This box is the email server for this company and its IP is the MX record for their domain.  In the exchange system manager, protocols, smtp, default smtp virtual server, queues, I have a multitude of listings that keep appearing. They all have the little blue arrow on the icon to the left of the listing and if I enumerate the listing they all show an email from postmaster@domain.com. Some of the names of the listings are: my.biglovedating.com, ihub.com, queerplaces.com, my.love.proext.com, etc. You get the point - they are bogus. I suspect that I have an email virus on one of the 40 machines that are here and it is trying to send out these emails. I have Symantec Antivirus Corporate Edition v10 on the servers and workstations and it updates and scans all nightly. I have done a Google and Symantec search on some of the bogus URLs and have come up with nothing. Perhaps I am wrong about what the problem is and would like to find out what is going on. I have done a test on the exchange server and it is reporting that it is not an open relay.

Any help in identifying the problem would be appreciated. If it is an email virus how would I identify the offending workstation?

dashmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

maderosiaCommented:
Are you sure that these are not NDR's (non delivery reports) from emails comming into your envrionment? Try turning off NDR's and clear the queues and see if they fill back up. This should help in troubleshooting.
0
SembeeCommented:
Sounds like NDR spam.

Exchange 2000 doesn't really have the tools to deal with this. I don't like recommending that NDRs are disabled as that can have other consequences for the business.
You need to look at putting in an application that can do LDAP lookups and deal with those types of messages. GFI Mail Essentials is on such application.

If your queues are very fully and you need assistance in clearing them, then I have instructions on my web site:
http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maderosiaCommented:
Correct. I agree that turning off NDR's perminately is a bad solution. I would only do this to pinpoint the issue.

Mark
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

dashmanAuthor Commented:
I will try and run the cleanup you suggested. I should also mention that my bad mail is filling up faster than the smtp queues. They are all addressed to a bogus user or users@ourdomain.com. Is this email that is coming into our server and requesting a return email? Not sure exactly how that works.
0
SembeeCommented:
Have you service packed your Exchange server?
Badmail support was disabled by default in service pack 1, but if you are seeing your badmail folder fill up you are either not running the latest service pack or you have enabled badmail.

Badmail is simply a copy of every non-delivered message that the Exchange server deals with.

Simon.
0
dashmanAuthor Commented:
I checked the version number for Exchange and it is build 6249.4 which you indicate is SP3. I do not remember turning on bad mail, but if it can be turned off I would like to do that. How do I do it? Do you recommend applying the post sp3 update and then the hotfix?
So it seems that my situation is that I am getting a lot of spam addressed to non existing users at my domain. The messages cannot be delivered so it is filling up the bad mail and also that is what is showing up in the smtp queues and that it is not an email virus trying to use me as an smtp server. Is that a correct assetment of the situation? Is there anything that I can do about this or should I not concern myself over it? Thanks in advance for all your help.
0
maderosiaCommented:
Yes, you are getting spammed with non existant user email to your domain. That is filling up the badmail folder and it is also sending out an NDR which is filling up the SMTP queues. They are probably staying in the queues bacause the domain sending is probably spoofed and non existant either. When I was using Excahnge 2000 I used GFI Mail Essentials and it controlled the spam. You can then set options to not send NDR for certain classified emails like emails that are blacklisted or classified as spam but still send NDRs for people that legit and type the wrong address. With Excahnge 2003 I use no spam software because 2003 has many more features for fighting spam.
Here is a good article. You may already be doing some of these
http://support.microsoft.com/default.aspx?scid=kb;en-us;319356
Here is a link to control bad mail folder
http://support.microsoft.com/?id=867642

Mark
0
SembeeCommented:
Is this Exchange 2000 or Exchange 2003?
My response about badmail applies to Exchange 2003 ONLY. The badmail feature cannot be disabled in Exchange 2000.

With Exchange 2000 you should probably look at using GFI Mail Essentials. It has a recipient lookup feature (which is build in to Exchange 2003) and that stops NDR spam in its tracks.

Simon.
0
dashmanAuthor Commented:
I am using exchange 2000. I mistyped it in the brief description but got is right in the long description of the problem. I will try the bad mail script suggested. I am using Brightmail on the server and will look to see if there is a way to configure it to not send NDRs. Are you familiar with the software and know if that can be done?

Thank you both for your excellent answers. You have both provided me with a much better understanding of the problem and ways to deal with it. I would like to split the points between the two of you. I have never done that before. Is it possible?
0
maderosiaCommented:
I am not too worried about the points, only that you got a solution.
Here is a link for the next time that you want to split points. And answers to common questions.
http://www.experts-exchange.com/help.jsp#hi69
I have no experience with BrightMail but make sure NDR's are not going out for everything. I would only send out NDR's for emails that do not exist on the domain and not spam. You will still send out NDR's but it will save you if someone types an email address wrong when trying to send to someone in your domain. They will know that it did not go through. I have also tried directing non existant user emails into a spam mailbox that I monitored and went through it everyday to see if any legit emails were in there (using GFI Mail Essentials). Spam is a pain but Exchange is getting better in handling it in 2003 sp2 and hopefully even better in Exchange 12.

Have a good one,
Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.