BadMail and Queue, how to stop virus/attack?

Posted on 2007-11-27
Last Modified: 2013-11-22
Our email is hosted on a Win2K server/Win2k Exchange Server.  About 5 days ago the store.exe and inetpub.exe began to use up so much memory that no one was allowed to receive email.  Our server's hard drive space then filled up.  I cleaned up some old data and rebooted the server but then it happened again.

I now see that in the Badmail folder there are so many emails that I can't open it.  Also, in the Queue new spam(?) emails keep appearing from the Navy Credit Union with no receipient (I imagine it gets moved to Badmail).  Is there a virus on this server (doesn't come back with one after being searched by Symantec)?  Is there someone inside the organization that has to have a virus that is causing this?  Can it be someone from the outside?  Our firewall currently allows all SMTP traffic (just got a new firewall a couple of months ago, I've been slow to add our old SMTP rules due to how strange it is with NAT).  Do I just need to update the firewall to accept from only our spam filtering company?

I'm guessing that will help.  Additional question to help Queue showing emails that are coming into the domain or that are leaving?  It seems like coming into, but I just need some clarification.  Thanks.
Question by:youthworks
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Author Comment

ID: 20374517
We are okay right now, but the issue is still there.
The Queue will receive an email(s) that seems to have an SMTP engine of some sorts.  Once that email is in there, other emails are created, maybe an average of 10/sec.  But I can delete a lot of them, and if I stop the SMTP service I can delete them all.  It's good for awhile but then it starts up again.

The memory issue isn't happening as bad, it's really not a big deal.  The big deal is now stopping these emails.


Author Comment

ID: 20374526
also, how do I delete/rename and delete what's in the Badmail folder?
LVL 104

Expert Comment

ID: 20436627
You can delete the entire badmail folder using SHIFT-DEL. Exchange will recreate it when required.
Unfortunately Exchange 2000 doesn't have much spam protection built in, and I don't think the Symantec product will block the basic - email messages to unknown recipients. To do that you will need to use a third party product that can LDAP lookups. The one I usually suggest is Vamsoft ORF

Microsoft have a tool for dealing with Badmail as well, which you can download from here:

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 20450144
okay, so I figured out we were getting a "spam attack," from someone in our domain or not I'm not sure.

I changed our open relay settings from allow all authenticated users to just specific internal IPs and the spamming quit going to the Queue and started going straight to Badmail, which is now just receiving a ton of spam.  Is there a way to stop this from happening or to put a size limit on the Badmail folder?  Please remember we are using Win2k server with Exchang2K.

LVL 104

Expert Comment

ID: 20450190
You have to use the link I have posted above to remove the messages from badmail. Remember badmail is just a copy of the NDRs, and goes down as one of those "nice ideas" Microsoft had with Exchange 2000 (Alongside the M drive). You will need to use a third party tool of some description to protect Exchange 2000, it has no protection of its own.


Author Comment

ID: 20450316
great, thanks.

Any idea how to find what is spamming us?  any tools you can recommend?
LVL 104

Accepted Solution

Sembee earned 500 total points
ID: 20450990
Spammers are very good at hiding themselves, so you will not find any tools as such to find it, only applications to block the email messages they are trying to send to your users or through your server. Blocking messages going through your server is quite easy to do, blocking messages being sent to your users is more difficult.

The tool I use as a primary defence I have already given to you above - Vamsoft ORF. That can do recipient filtering and greylisting which I find will deal with most spam.


Author Closing Comment

ID: 31411301
thanks for your help

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange - trouble forwarding mail to Distro Group 4 28
Exchange 2016 2 36
ADFS:  Step by Step to enable MFA with ADFS 16 37
nemesis decryptor - 7 45
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question