URGENT: Exchange Server Open Relay situation

Posted on 2006-05-09
Last Modified: 2008-08-04

Gateway 9220-T server
SBS2003 SP1
ISP is PaeTec Comm.
Domain HOST is GoDaddy with the MX pointing to our server here in lovely Van Nuys, CA
Exchange is handling in/out mail, NOT using POP3 connector.

As of a few hours ago, server was targeted by the bad guys.

- Server was slow to send mail; checked event logs and got the 2012 error.  Added ISP DNS to SMTP Virt Svr Ext DNS list.
- Server kept getting slower, overall, at the console.
- T/S a bit more and found:
      550+ queues in the Exchange System Manager, all identified as "SmallBusiness SMTP Connector"
      All of the queues were to mostly unknown domains, things like ""
      Queues to domains like "" had the most messages waiting to be sent
      6600+ message in the "C:\Program Files\ExchSvr\Mailroot\vsi 1\Queue" folder
     Tried to Freeze queues and delete messages inside the queues, but they multiply faster than .... (pick an analogy)

OK, so I know that I have allowed the server to become an open relay, I am a bad person, althought I'd like to blame this on Microsoft a bit, but whatever...

I thought that by forcing authentication to AD users only, I had solved the problem.  Wrong, hunh?
Sad to say, I am an IT consultant and a little green at the security thing, so...

How do I fix it?
     How do I stop the Open Relay situation?
     How do I delete the queues and messages all at once?

I've downloaded the IMF tool and don't know if it'll solve things for the moment, so it's not installed.
Oh yeah, I've stopped all Microsoft Exchange... services in the meantime.  I do NOT want to be blacklisted with this domain.

Thanks !!
Question by:zoon06
    LVL 27

    Accepted Solution

    A very knowledgable person on this forum, Sembee, created this webpage that may help you:
    LVL 32

    Expert Comment

    Yes, that is a great link. Here is another link that may prove helpful once things are cleaned up:


    Author Comment

    Thanx for the links.

    It's late now.  I tried RemDesk to the server, not accepting connections.  Will be checking this tommorrow and post my results.

    LVL 31

    Assisted Solution

    Actually, you may not be an open relay - those messages may be NDRs.  See if the sender is show as <> .  If it is, then your domain has received a lot of spam to non-existent addresses, and is no sending back NDRs to the (fictitious) sending addresses.  Since the addresses are generally false, they can't be delivered straight away, and sit in the queue for days.  If you are getting lots of spam, try turning off NDRs altogether.  Did you also apply the checkbox that says 'Filter recipients that are not in the directory'?

    Of course, if the sender is not displayed as <>, and the recipient is an external address, then you have a relay problem.

    Author Comment


    OK. Poked around a lot today on the SBS/Exchg server.

    To Exchange_Admin:

    It seems the Open Relay condition was present because the Default SMTP Virtual Server > Access > Relay > Relay Restrictions were not configure according to the link I was referred to.  The Relay Restriction was set to "Allow all except the list below" - the list was empty.  The "...successfully authenticate..." option on the same window was checked.  Am I correct in saying Open Relay was....Open?

    To All:
    And the NDR condition may also have been present, or they work in conjunction to mess things up?  Not sure, but it seems like the relaying thing CAUSED the NDR condition.  Am I right?

    To LeeDerbyshire:
    None of my senders showed as <>.  The Filter recipients option was checked by default.
    The recipient names were:
         mostly randomly generated character names to well-formed and some well-known domains.
         sender was postmaster@mydomain.tld most of the time, other times it was some random sender.
    How can I turn off NDRs altogether?  Is that an option in SBS or a roundabout way of configuring things?

    To All, again:
    I would like more clarification on this NDR issue to make sure I understand it correctly.  Does relaying cause NDRs or is that just one way of bogging things down when relaying is left open but authentication is enforced?

    Overall, though, things are going well.  I followed Sembee's instructions and the messages are piling up into a queue that will go nowhere.  Then I will take out the garbage and recreate the default SMTP connector.  Current message count: 3523...

    Thanx again.
    LVL 31

    Expert Comment

    Yes, allowing 'All except the list below' is bad.  It should be 'Only the list below', and then add any IPs that you know you want to relay (like external Outlook Express clients with fixed IPs).  You can also enable the 'Allow all computers which successfully authenticate', too, if you like (although some people don't like even that).  But you should definitely not have 'All all except'.  I would turn that off right now.
    LVL 31

    Expert Comment

    Oh, BTW, you can turn off NDRs by clicking on Internet Message Formats, and looking at the properties of the Default format.  It's on the Advanced page.  Anything with sender postmaster@yourdomain.tld could be an NDR, too, but aimed back inside at your users.  I'm pretty sure that external NDRs should have an empty sender, to prevent message loops.

    Author Comment

    Sorry, didn't find Advanced on Internet Message Formats.

    Thanx to all, the problem is fixed.  I'm wrapping this up.


    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    Join & Write a Comment

    Use email signature images to promote corporate certifications and industry awards.
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now