exchange server flooding with undeleverable to local postmaster

Posted on 2006-06-03
Medium Priority
Last Modified: 2010-08-05
Our exchange server is sending rouge emails (about 1 a sec) if I open outlook client it is filling up with generated emails all marked undeliverable, all forwarded to local postmaster as undeliverable. Our ISP has notified us that we are flooding the internet with these rogue messages. How do I determine where in the network they are coming from? Unmounting the store stops the messages, but when I mount it again the MailBox store logs on multiple accounts identified as SMTP(server- {id}) win2k account NT AUTHORITY\SYSEM. HELP

further, I did a network packet scan and the email do not seem to originate from outside the exchange box.
Question by:Alfred_E_Newman
  • 2
  • 2
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 16824802
Would help if you stated which version of Exchange it was.

It sounds like an NDR attack.

Go to my web site, look at the spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp

The reason you aren't seeing the messages coming in is because they are already on the Exchange server. ESM is notorious for not showing the true state of the queues.


Author Comment

ID: 16825027
exchange is 03 running on an 03 dc. I disable the firewall therefore not allowing any traffic in and the emails keep coming. This would indicate that they are being generated internally. the email header is as follows:

Microsoft Mail Internet Headers Version 2.0
From: postmaster@******.org
To: pcrfysk@msa.hinet.net
Date: Sat, 3 Jun 2006 15:14:51 -0600
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
X-DSNContext: 7ce717b1 - 1391 - 00000002 - C00402D1
Message-ID: <MjkatwD4300002a63@server.******.org>
Subject: Delivery Status Notification (Failure)

Content-Type: text/plain; charset=unicode-1-1-utf-7

Content-Type: message/delivery-status

Content-Type: message/rfc822

Received: from ([] RDNS failed) by server.*****.org with Microsoft SMTPSVC(6.0.3790.1830);
       Thu, 1 Jun 2006 14:06:20 -0600
Received: from by; Thu, 01 Jun 2006 20:56:30 +0100
Received: (qmail 26624 invoked from network); Thu, 01 Jun 2006 15:57:30 -0400 -0000
Received: from unknown (HELO J±Z¬ü´f.com.tw) ([]) (envelope-sender <pcrfysk@msa.hinet.net>)
          by 0 (qmail-ldap-1.03) with SMTP
          for <wason@wason.com.tw>; Thu, 01 Jun 2006 14:02:30 -0600 -0000
Received: (qmail 4706 invoked from network); Thu, 01 Jun 2006 21:01:30 +0100 -0000
Received: from unknown (HELO ms1.url.com.tw) ([]) (envelope-sender <ª©¼Ò¤ý°êD@yahoo.com>)
          by 9Wason.com.tw (qmail-ldap-1.03) with SMTP
          for <wason@wason.com.tw>; Thu, 01 Jun 2006 21:00:30 +0100 +0800
From: "ª©¼Ò¤ý°ê" <pcrfysk@msa.hinet.net>
Reply-To: "ª©¼Ò¤ý°ê" <pcrfysk@msa.hinet.net>
To: wason@wason.com.tw
Subject: 2006³Ì·sÁú°êª©¼Ò¥þ·s¤W¥«!µ´¬üºô­¶¨t¦C~
Date: Tue, 19 Jan 2038 11:14:07 +0800
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 1
X-MSMail-Priority: High
X-EM-Registration: #01305001105800006300
Return-Path: pcrfysk@msa.hinet.net
X-OriginalArrivalTime: 01 Jun 2006 20:06:21.0640 (UTC) FILETIME=[DA1B4480:01C685B6]

also: no users are logged onto the server the first storage group has at least 15 logons for SMTP (Server - All same sid)

thank you for your time

Author Comment

ID: 16825086
Sembee: followed your sug. and to no avail, they keep coming and coming and coming.. thank you for your time.
LVL 104

Expert Comment

ID: 16825354
It is definitely an NDR attack and it can take many attempts to clear the queue.

The spammer will have sent many thousands of messages in one hit - a classic drop and run. Exchange cannot cope with showing the queue containing those messages. You have to simply repeat the process over and over.

As you are running Exchange 2003 on Windows 2003, do the filter recipient and tarpit. That will stop the problem in the future.


Expert Comment

ID: 16828694

I must say that you could use some help with a small utility called MFCMAPI.

This is a tool that can be used to get in to the SMTP mailbox inside the information store.

The motive behind this would be to try and empty all data within the SMTP system mailbox in the mailbox store. The NDR attack is basically a message that has a false reply to address which ends up generating an NDR for an NDR.

We should be sble to stop the SMTP service, delete the messages from the information store using MFCMAPI, and also rename the folder c:\program files\exchsrvr\mailroot\"VSI1", renaming would help us relaying any email waiting on the disk to be taken by the information store for processing.

Please find steps to user MFCMAPI.

Download MFCMAPI from http://support.microsoft.com/kb/291794/en-us

Download and extract the files in a location on your exchange server.
Run the file MFCMAPI.exe.
Click on session and select logon and display store tables.
When asked for profile, select the administrator profile.
You should see the mailbox and public folder listed.
Click on MDB and then get mailbox table.
You should see the list of mailboxes in the Mailbox store.
Scroll and double click SMTP.
You would find Temp Tables listed in the left pane of the open window.
This is the space where the outbound internet messages are stored in the mailbox store.
You may wish to examine contents in the subfolders that exist under the main TEMP TABLES.
You should find a lot of the popular spam messages.
If you wish to clear all the content under temp tables, right click and select delete.
On prompt select hard delete and restart the SMTP service.
This would rebuild the temp tables automatically.

This process should give you a lot of relief from the messages stuck in the information store (mailbox).

Once this is done you could enable Sender, recipient and connection filtering if required to fight spam.


Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question