We help IT Professionals succeed at work.

Exchange 2003 server sending large quantities of junkmail but is not an open relay

DaveW2000 asked
Last Modified: 2008-01-09
I have just installed Windows 2003 Small Business Server R2 with service pack 2 and set up Exchange Server 2003 with Service Pack 2.

The domain is a private name and I have set up SMTP on the Exchange server.
It sends SMTP mail direct to the Internet using the SmallBusiness SMTP connector.
It receives mail from a public IP that is NAT translated behind a firewall.
It all works fine and I have tested it externally to check that it does not allow relaying (over a dozen different tests) an is okay.
I have turned off Non Delivery Reports and only recipients in the domain can receive mail.

My problem is that the server is sending out very large quantities of junkmail to other people and I can't seem to see where it is coming from or how to stop it.
There are currently over 1500 queues at the moment and 99% of them are junk.

The other day it was so bad that the exchange server stopped receiving mail because the queue had reached nearly 100,000 messages.

Anybody any ideas, I don't think it has been hacked, is it a virus or what?
Watch Question

Dave StringfellowIT manager

Have you checked this with all the workstaions off? it maybe on a clients PC rather than yours, and those clients can relay as they are local to the server. clear the queues with all the PCs off, and then monitor the queues, if they dont grow then you then need to check all your PCs.

Have you scanned the desktop clients for malware & viruses with something more effective than nortons or trend micro?

I experienced a similar problem, turned out to be malware and trojans on a laptop running trend micro (dell trialware). AVG picked out the culprits and the spam problem was solved.
I agree with v2Media it is very much likely to be client workstations/laptops that are infected and sending out spam. Run the latest AV on ALL workstations.
Expert of the Year 2007
Expert of the Year 2006
Unlock this solution and get a sample of our free trial.
(No credit card required)


Hi Sembee,
I am now cleaning the clients anyway as a precution.

How do I check for an Authenticated User?


Hi Sembee,

Came across your article earlier, had done some of it.
Went though it again carefully, now waiting to see if it has done the trick.

Finished scanning all client machines very thoroughly for viruses and spyware etc, nothing found at all except the odd cookie, even on the server.
Expert of the Year 2007
Expert of the Year 2006

If it is authenticated user attack there is only one account ever attacked - the administrator account. Therefore if you haven't already then you need to change the administrator account password and then lock down authenticated relaying so that the administrator account cannot be used. If you don't need authenticated relaying then turn it of.


If your question has been answered, pleased remember to accept the answer and close the question.


Hi sembee,

Could not see any 1708's in the log for authenticated relaying, however I did remove the server itself from being able to do authenticated relaying by removing the 127,0,0,1 and the server's own private address and also changed the Administrator's password.  I also changed public IP address of the mail server.

The activity has appeared to have stopped but I can't really say what I think has stopped it.
My feeling is either removing the authenticated relaying ability from the server and/or allowing mail in to Active Directory users only is the most likely reason it has stopped, comments from you would be appreciated, before I award you all the points, (your site is excellent and you deserve the MVP).
Expert of the Year 2007
Expert of the Year 2006

You don't need in the relay list, nor your own subnet for Exchange to work correctly. Depending on your firewall having the subnet listed can turn the machine in to an open relay as it sees the firewall traffic as internal.

You need to watch the queues for further messages building - that will show if the server is still being abused or not.


If your question has been answered, please remember to accept the answer and close the question.


Sorry for the delay in awarding points.
No further successful attacks have happened, although looking in the event log, as I am still monitoring exchange, it's not for the want of trying, the server is constantly attacked everyday but unsuccessfully.
I would recommend everybody read Sembee's article listed above and lock down their exchange server.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.