Avatar of 73r3grine
 asked on

Exchange 2003: SMTP Queue flooded

Hello all;

I know the more info the btter, so excuse me if this is long.
I did a search and read over 30 threads about what appear to be this same issue. None of that seems to help in my case.
Over the weekend, my Exchange 2003 sp3 server got flooded with mail. Been working on it ever since. The smtp queue currently has almost 6000 queues. Many to a .tw domain. This drops at night and rises back up during the day. We are able to send mail out and recieve mail but it is slow.
So far I have:
-Scanned every PC on the network for spyware
-Created a recipient filter
-Verified I am not an open relay. Cleared "allow all computers to auth" check box.
-Enabled a tar pit
-Tried to flush my queue via MS directions of creating an smtp connector. I gave up on this when the connecter went continued to grow to 30,000 messages. I assumed at that point that the problem was not fixed and stopped it.
-Enabled max logging to look for a 1708 auth message. Never got one.
-Scanned server with malware bytes
-Scanned server with TrendMirco AV
-Ran Windows Update and instaled everything. .Net 3.5 update failed, try that again tonight
-Turned off NDR's (temporarily)

I am SURE I am forgetting something. Especially after spending 24 hours here through Sunday night. I have been all over Simon's site and this and MS.

Any help appreciated.

Email ProtocolsInternet ProtocolsExchange

Avatar of undefined
Last Comment

8/22/2022 - Mon

I am sure you are hit by spams..
Are the emails stuck in the queue Postmaster emails or emails to domains which do not exist ?
You need  to enable the spam filterings on the exchange server to get this resolved...

Check this article man.it has a very good checklist.
See if there are any loopholes in ur network

ALOT of the emails are "postmaster@mydomain.com" but there are also many with very odd characters.
&$*#*%#&^^# (joblow@wierdname.com.tw). Are you suggesting I enable the Microsoft IMF filtering? I have seen many references to that but havent tried it.

I already have that article printed out and sitting on my desk. Already done 1-4. We are not blacklisted very much if at all. Found no 1708's in my logs (which would indicate a compromised account). The NDR's we are getting are 5.4.0 not 5,7.1 so I turned off "Allow all computers which succesfully auth to relay". 5.4.0's may be left over from when I created a temp smtp connector.

I am actually starting to wonder if I have, indeed, fixed the issue. The queue seems to stabilize at around 6000. If I was still "under attack" would it continue to fill until the server crashed?

 Is it possible the problem IS fixed, and I just need to clear the queues (which will probably take HOURS). I did try the AQAMDCLI.EXE tool but it errored after deleting only a couple 100 emails.

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Yes enable IMF,sender,connection and recipient filtering.
Aqadmcli can be a bit difficult tool to work with at times.
try running it again and again

I don't think it is fixed. Deleted a few queues. Went from 6227-6226-6225 > refresh > 6334

Trying that now Xsam. Some of it I have done. Then I will try IMF if that doesnt seem to help.


Yes,try those and also update the IMF .
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

YES .. just do what i said and your issue is fixed.


Also check if ur able to do a telnet from a client workstations to external ip.
Try this:
telnet maila.microsoft.com 25
U shouldnot get a response.connection shud fail.

Is renaming \Mailroot going to purge the queue? Everything is delayed by about 2 hours so if this will delete the queue I want to make sure I wait long enough so that any legit email is delivered.

Your help has saved me hundreds of hours of internet surfing.

It will fail only if the IP is blacklisted ! we are not concerned about that at this point of time !
first clear out the spams and get the mail flow working ;-)


telnet to mailia.microsoft.com 25 replied with a 220 mail01.microsoft.com /service ready


did u complete doing my action plan ?/ whats the status?
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Thanks Sam. Coming back in a few hours to try and will let you know.
Much appreciated.

No problem Buddy

All the SMTP Connector did was allow the messages that are in the queues to gather in one place. If you haven't cut the server off from the internet then you need to do that.
postmaster@ is NDR spam and is stopped by the recipient filter. However if the messages are already on the server then you need to clean the queues.

Close port 25 on the firewall so that the server cannot be seen from the internet, then work on clearing the queues. Once you have done that you can restart the SMTP Server service and look at securing the server.

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Yeah.we can search for legit emails later using WIndows explorer.

Thanks so much! This worked perfectly and I looked like a hero!