Link to home
Start Free TrialLog in
Avatar of cicsupport

asked on


I have thousands of email in QUEUE. I always delete them but they come back to appear. Almost all the email are comming from something like a virus or some spam, but the symantec is worknig fine.

What is going on in my server?
Please, look at the image to try find somethink known.
Avatar of smarche
Flag of Italy image

The connectors seems to be disconnected...
Try to right click on them and force connection.. maybe this will help you...
the second step is to restart the service.. maybe it isn't working correctly.
Hope it helps.
Avatar of cicsupport


It didn't work.

No, they are not connected because my server didn't found any server. Somethink is creating random's email address and my server is looking for them. I need to know how to fix it. All of them are finshing with RU, EXAMPLE xx@xx.x.RU  oernofn@orgoir.RU

Avatar of Kutyi
check out and run the diagnostics and see if you are an open relay.  If so you will need to set your exchange server from being an open relay.  See link:
check that you are not an open realay

put your domain into the search

if you are open close if your not you need to clean up the ques
You might be an open relay or a virus on a client hit you.  Stop your SMTP service.  Clear each message queue without sending NDR.  Leave one queue, open the message to see who originated it and if internal - go visit that workstation.  If the originator was external, close down your open relay.
Avatar of Paka

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Check whether you are under an NDR Attack

If you are under an NDR attack, then you will find lots of messages in the queues of the server. These messages have special characteristics which make them easy to spot.

   1. Start Exchange System Manager.
   2. Go to Servers, <your server>, Queues in Exchange 2003, or down to Protocols, SMTP in Exchange 2000.
   3. Select a queue that contains many messages, click Find messages, and then click Find Now.
   4. In the Sender field of the messages will be an address. If it is postmaster@ your domain then the message is an NDR. You can view the recipient of the NDR by double clicking on the message.

Note: If you are using an SMTP Connector to route email through your ISP using a smart host, then you cannot detect this type of attack. The messages are sent straight out to the ISP by your server. If your ISP has alerted you that there may be a problem, you will need to use message tracking and the SMTP log to detect the cause of the attack.

If you are on Exchange 2003 with Windows 2003 then you can stop an NDR attack by using recipient filtering and the tar pit option in Windows 2003. You will still need to clean the queues using the techniques outlined, but it will stop further traffic.

If you are on Exchange 2003 on Windows 2000 then you should NOT enable recipient filtering as this exposes your server to a directory harvest attack.
Exchange 2000 users do not have any kind of recipient filtering options available to them.
Therefore you should look at a third party tool that can do the filtering for you, often referred to as an LDAP lookup. Vamsoft ORF has Active Directory filtering and has a 30 day trial version.  
Cleaning up the Server

Once you have found out the cause of the problem and dealt with it, then you need to clean up the server.

You should probably consider blocking inbound email on port 25 during this process so that you can be sure that it is old email that is being cleared and not fresh. Also note that it can take a few passes of the process before the queues are clear. Exchange System Manager is notorious for being unable to show the true extent of the queues when it has been abused in this way, so messages can continue to appear for some time.
You will not lose any genuine inbound email during this time as most email servers will try to send email for 48 hours before timing out.

Cleaning Up the Exchange Server's SMTP Queues

Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet.

Capturing the Messages Into a Single Queue

This process requires an SMTP connector for all addresses. If you don't already have one (with a * on the namespace tab) then you need to create one using the instructions below.
If you already have an SMTP Connector with a * on the namespace tab, then you can use it for this process. You will need to adjust the settings as appropriate. You may wish to just make a note of the settings, delete the connector and create a new one for this process. When complete recreate your live connector.

   1. In ESM, Connectors.
   2. Right click on connectors and choose New, SMTP Connector.
   3. On the "General Tab" type a name for the connector. "Spam Cleanup" or similar.
   4. Click the "Add" button under "Local Bridgeheads" and choose your Exchange server.
   5. Click on the "Address Space" tab.
   6. Click "Add" and choose SMTP. Leave each setting (* and cost of 1) and press ok.
      If all the spam is to one domain, then you could remove the * and enter the domain that the messages are being sent to. This should leave legitimate messages in the queue.
   7. Click on the General tab again. Change the option in the centre from DNS to "Forward all mail through this connector to the following smart hosts".
   8. Enter an invalid IP address in square brackets:  [].
   9. Click on the "Delivery Options" tab and ensure that "Specify when messages are sent through this connector" is selected.
  10. Change the option to 11pm. (If it is close to 11pm when you are doing this, use a much earlier time - 6am or similar. The time doesn't matter as long as it is not close).
  11. Press Apply/OK to close the SMTP Connector dialogue.
  12. Restart SMTP Virtual Server.
         1. Expand Servers, <your server>, Protocols, SMTP.
         2. Right click on the "Default SMTP Virtual Server"
         3. Choose "Stop". This may take a few minutes.
         4. Once it has stopped, right click again and choose "Start".

The Exchange SMTP virtual server is now processing all the messages and placing them in to a single queue for your SMTP connector. This can take some time. You may want to wait until the number of messages in the queue stays constant before attempting the next stage.

Exchange 2000: The queues can be found in Servers, <your server>, Protocols, SMTP.

Exchange 2003: The queues can be found in Servers, <your server>, Queues.

To locate the required queue, look for a small red clock on the yellow icon. This indicates that it is on a timed delivery.

Deleting the Messages

Now that the messages are in one queue, it is quite easy to delete them

Exchange 2003

   1. Right click on this connector and choose "Find Messages".
   2. In the drop down box select the number of messages to be listed in the search.
   3. Click "Find Now".
   4. Once the search is complete, select all of the messages (use the shift-page down key combination)
   5. Then click "Delete all Messages (No NDR).

Once the messages have been deleted, which could take some time, refresh the queues to ensure that they don't continue to build. If they do then Exchange is still processing the messages. You will need to repeat the procedure to delete more messages until the queues are completely clear and stay at zero.

Once you have flushed out the messages, undo the changes that you have made.

If it was a new SMTP connector, delete it.
If you adjusted an existing connector, put the settings back how they were. Don't forget the time on the "Delivery Options" tab. it should be "Always Run".

Finally restart SMTP virtual server to get Exchange to start using the new settings.
thank you very much !!!!!  PAKA.. My exchange is running fine.

And off course, thank everybody. i appreciate that.

That stop all the email in wueues
The accepted solution solves the issue of mail filling up the queue.  However, now all my users are receiving the NDR's from that would normal just sit in the queue.  If I filter the sender we would not receive valid NDR's is there a way to stop these spam NDR's from being delivered to the spoofed sender?