We help IT Professionals succeed at work.

Multiple bogus emails in my Exchange 2003 smtp outgoing queue

dashman
dashman asked
on
Medium Priority
644 Views
Last Modified: 2008-02-01
I have a server with Windows 2000 and Exchange 2000 server installed. This box is the email server for this company and its IP is the MX record for their domain.  In the exchange system manager, protocols, smtp, default smtp virtual server, queues, I have a multitude of listings that keep appearing. They all have the little blue arrow on the icon to the left of the listing and if I enumerate the listing they all show an email from postmaster@domain.com. Some of the names of the listings are: my.biglovedating.com, ihub.com, queerplaces.com, my.love.proext.com, etc. You get the point - they are bogus. I suspect that I have an email virus on one of the 40 machines that are here and it is trying to send out these emails. I have Symantec Antivirus Corporate Edition v10 on the servers and workstations and it updates and scans all nightly. I have done a Google and Symantec search on some of the bogus URLs and have come up with nothing. Perhaps I am wrong about what the problem is and would like to find out what is going on. I have done a test on the exchange server and it is reporting that it is not an open relay.

Any help in identifying the problem would be appreciated. If it is an email virus how would I identify the offending workstation?

Comment
Watch Question

Are you sure that these are not NDR's (non delivery reports) from emails comming into your envrionment? Try turning off NDR's and clear the queues and see if they fill back up. This should help in troubleshooting.
Expert of the Year 2007
Expert of the Year 2006
Commented:
Sounds like NDR spam.

Exchange 2000 doesn't really have the tools to deal with this. I don't like recommending that NDRs are disabled as that can have other consequences for the business.
You need to look at putting in an application that can do LDAP lookups and deal with those types of messages. GFI Mail Essentials is on such application.

If your queues are very fully and you need assistance in clearing them, then I have instructions on my web site:
http://www.amset.info/exchange/spam-cleanup.asp

Simon.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Correct. I agree that turning off NDR's perminately is a bad solution. I would only do this to pinpoint the issue.

Mark

Author

Commented:
I will try and run the cleanup you suggested. I should also mention that my bad mail is filling up faster than the smtp queues. They are all addressed to a bogus user or users@ourdomain.com. Is this email that is coming into our server and requesting a return email? Not sure exactly how that works.
Expert of the Year 2007
Expert of the Year 2006

Commented:
Have you service packed your Exchange server?
Badmail support was disabled by default in service pack 1, but if you are seeing your badmail folder fill up you are either not running the latest service pack or you have enabled badmail.

Badmail is simply a copy of every non-delivered message that the Exchange server deals with.

Simon.

Author

Commented:
I checked the version number for Exchange and it is build 6249.4 which you indicate is SP3. I do not remember turning on bad mail, but if it can be turned off I would like to do that. How do I do it? Do you recommend applying the post sp3 update and then the hotfix?
So it seems that my situation is that I am getting a lot of spam addressed to non existing users at my domain. The messages cannot be delivered so it is filling up the bad mail and also that is what is showing up in the smtp queues and that it is not an email virus trying to use me as an smtp server. Is that a correct assetment of the situation? Is there anything that I can do about this or should I not concern myself over it? Thanks in advance for all your help.
Yes, you are getting spammed with non existant user email to your domain. That is filling up the badmail folder and it is also sending out an NDR which is filling up the SMTP queues. They are probably staying in the queues bacause the domain sending is probably spoofed and non existant either. When I was using Excahnge 2000 I used GFI Mail Essentials and it controlled the spam. You can then set options to not send NDR for certain classified emails like emails that are blacklisted or classified as spam but still send NDRs for people that legit and type the wrong address. With Excahnge 2003 I use no spam software because 2003 has many more features for fighting spam.
Here is a good article. You may already be doing some of these
http://support.microsoft.com/default.aspx?scid=kb;en-us;319356
Here is a link to control bad mail folder
http://support.microsoft.com/?id=867642

Mark
Expert of the Year 2007
Expert of the Year 2006

Commented:
Is this Exchange 2000 or Exchange 2003?
My response about badmail applies to Exchange 2003 ONLY. The badmail feature cannot be disabled in Exchange 2000.

With Exchange 2000 you should probably look at using GFI Mail Essentials. It has a recipient lookup feature (which is build in to Exchange 2003) and that stops NDR spam in its tracks.

Simon.

Author

Commented:
I am using exchange 2000. I mistyped it in the brief description but got is right in the long description of the problem. I will try the bad mail script suggested. I am using Brightmail on the server and will look to see if there is a way to configure it to not send NDRs. Are you familiar with the software and know if that can be done?

Thank you both for your excellent answers. You have both provided me with a much better understanding of the problem and ways to deal with it. I would like to split the points between the two of you. I have never done that before. Is it possible?
I am not too worried about the points, only that you got a solution.
Here is a link for the next time that you want to split points. And answers to common questions.
http://www.experts-exchange.com/help.jsp#hi69
I have no experience with BrightMail but make sure NDR's are not going out for everything. I would only send out NDR's for emails that do not exist on the domain and not spam. You will still send out NDR's but it will save you if someone types an email address wrong when trying to send to someone in your domain. They will know that it did not go through. I have also tried directing non existant user emails into a spam mailbox that I monitored and went through it everyday to see if any legit emails were in there (using GFI Mail Essentials). Spam is a pain but Exchange is getting better in handling it in 2003 sp2 and hopefully even better in Exchange 12.

Have a good one,
Mark
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.