exchange server flooding with undeleverable to local postmaster

Posted on 2006-06-03
Last Modified: 2010-08-05
Our exchange server is sending rouge emails (about 1 a sec) if I open outlook client it is filling up with generated emails all marked undeliverable, all forwarded to local postmaster as undeliverable. Our ISP has notified us that we are flooding the internet with these rogue messages. How do I determine where in the network they are coming from? Unmounting the store stops the messages, but when I mount it again the MailBox store logs on multiple accounts identified as SMTP(server- {id}) win2k account NT AUTHORITY\SYSEM. HELP

further, I did a network packet scan and the email do not seem to originate from outside the exchange box.
Question by:Alfred_E_Newman
    LVL 104

    Accepted Solution

    Would help if you stated which version of Exchange it was.

    It sounds like an NDR attack.

    Go to my web site, look at the spam cleanup article:

    The reason you aren't seeing the messages coming in is because they are already on the Exchange server. ESM is notorious for not showing the true state of the queues.


    Author Comment

    exchange is 03 running on an 03 dc. I disable the firewall therefore not allowing any traffic in and the emails keep coming. This would indicate that they are being generated internally. the email header is as follows:

    Microsoft Mail Internet Headers Version 2.0
    From: postmaster@******.org
    Date: Sat, 3 Jun 2006 15:14:51 -0600
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    X-DSNContext: 7ce717b1 - 1391 - 00000002 - C00402D1
    Message-ID: <MjkatwD4300002a63@server.******.org>
    Subject: Delivery Status Notification (Failure)

    Content-Type: text/plain; charset=unicode-1-1-utf-7

    Content-Type: message/delivery-status

    Content-Type: message/rfc822

    Received: from ([] RDNS failed) by server.*****.org with Microsoft SMTPSVC(6.0.3790.1830);
           Thu, 1 Jun 2006 14:06:20 -0600
    Received: from by; Thu, 01 Jun 2006 20:56:30 +0100
    Received: (qmail 26624 invoked from network); Thu, 01 Jun 2006 15:57:30 -0400 -0000
    Received: from unknown (HELO J±Z¬ü´ ([]) (envelope-sender <>)
              by 0 (qmail-ldap-1.03) with SMTP
              for <>; Thu, 01 Jun 2006 14:02:30 -0600 -0000
    Received: (qmail 4706 invoked from network); Thu, 01 Jun 2006 21:01:30 +0100 -0000
    Received: from unknown (HELO ([]) (envelope-sender <ª©¼Ò¤ý°ê>)
              by (qmail-ldap-1.03) with SMTP
              for <>; Thu, 01 Jun 2006 21:00:30 +0100 +0800
    Message-ID: <>
    From: "ª©¼Ò¤ý°ê" <>
    Reply-To: "ª©¼Ò¤ý°ê" <>
    Subject: 2006³Ì·sÁú°êª©¼Ò¥þ·s¤W¥«!µ´¬üºô­¶¨t¦C~
    Date: Tue, 19 Jan 2038 11:14:07 +0800
    X-Mailer: AOL 7.0 for Windows US sub 118
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    X-Priority: 1
    X-MSMail-Priority: High
    X-EM-Registration: #01305001105800006300
    X-OriginalArrivalTime: 01 Jun 2006 20:06:21.0640 (UTC) FILETIME=[DA1B4480:01C685B6]

    also: no users are logged onto the server the first storage group has at least 15 logons for SMTP (Server - All same sid)

    thank you for your time

    Author Comment

    Sembee: followed your sug. and to no avail, they keep coming and coming and coming.. thank you for your time.
    LVL 104

    Expert Comment

    It is definitely an NDR attack and it can take many attempts to clear the queue.

    The spammer will have sent many thousands of messages in one hit - a classic drop and run. Exchange cannot cope with showing the queue containing those messages. You have to simply repeat the process over and over.

    As you are running Exchange 2003 on Windows 2003, do the filter recipient and tarpit. That will stop the problem in the future.

    LVL 9

    Expert Comment


    I must say that you could use some help with a small utility called MFCMAPI.

    This is a tool that can be used to get in to the SMTP mailbox inside the information store.

    The motive behind this would be to try and empty all data within the SMTP system mailbox in the mailbox store. The NDR attack is basically a message that has a false reply to address which ends up generating an NDR for an NDR.

    We should be sble to stop the SMTP service, delete the messages from the information store using MFCMAPI, and also rename the folder c:\program files\exchsrvr\mailroot\"VSI1", renaming would help us relaying any email waiting on the disk to be taken by the information store for processing.

    Please find steps to user MFCMAPI.

    Download MFCMAPI from

    Download and extract the files in a location on your exchange server.
    Run the file MFCMAPI.exe.
    Click on session and select logon and display store tables.
    When asked for profile, select the administrator profile.
    You should see the mailbox and public folder listed.
    Click on MDB and then get mailbox table.
    You should see the list of mailboxes in the Mailbox store.
    Scroll and double click SMTP.
    You would find Temp Tables listed in the left pane of the open window.
    This is the space where the outbound internet messages are stored in the mailbox store.
    You may wish to examine contents in the subfolders that exist under the main TEMP TABLES.
    You should find a lot of the popular spam messages.
    If you wish to clear all the content under temp tables, right click and select delete.
    On prompt select hard delete and restart the SMTP service.
    This would rebuild the temp tables automatically.

    This process should give you a lot of relief from the messages stuck in the information store (mailbox).

    Once this is done you could enable Sender, recipient and connection filtering if required to fight spam.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now