Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Clear the Queues in Exchange

Posted on 2009-05-01
6
Medium Priority
?
535 Views
Last Modified: 2012-05-06
I noticed our exchange 2003 server queue has over 2000 names built up.  I think we had a spam attack and possibly someone spoofing.  We got identified by Baracuda as a spammer.  I found the email address causing the problem and put a block on the address in Exchange.  I'd like to clear out our queue to see if that took care of the problem.  How do I clear the queue out?

Thanks.
0
Comment
Question by:AllanHale
  • 2
  • 2
  • 2
6 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24281418

Simon has a very comprehensive article at http://www.amset.info/exchange/spam-cleanup.asp regarding cleaning up after a spam attack. The clever part is using an SMTP connector to group messages into one location prior to deleting the queued email.

Let me know if you have any further questions,

-Matt
0
 

Author Comment

by:AllanHale
ID: 24306119
Hi,
I followed that link and did the steps in there.  It cleared up the problem for a couple of days.  Now it's happening again.  I have 2975 Names in the Queue.  If I double click on one of the domain names I see Sender as HERINQUEZ <soussoj@gmail.com>

It seems to be happening again but this time with a different sender.  I double check the previous link to make I did everything, but I believe I have.

Allan
0
 

Author Comment

by:AllanHale
ID: 24306358
I'm now wondering if I have a virus somewhere in my network.  If I look at one of the HERINQUEZ emails I see the sender is always soussoj@gmail.com.  The recipient is email addresses not assiciated with our domain.  

We Sophos Pure Message and Enterprise Console.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 24318377
virii contain their own SMTP engines and do not attempt to locate SMTP servers on the network which they can relay using. This is what makes spam-type virii more effective.

As a precautionary measure, block outbound port 25 in your firewall for all devices except the Exchange Server. Then observe the firewall logs to ensure direct connections from specific PCs outbound are not being made.

You also want to triple-check that you have Recipient Filtering enabled: http://www.amset.info/exchange/filter-unknown.asp. At the bottom of that article, there is also a 'tarpitting' section; enable that and set the tarpit time to 5 / 10 seconds. If the emails are from external sources, that will ensure the SMTP sessions are dropped without the mail being accepted and then queued/NDRed, and will also prevent a future problem whereby an attacker may launch a brute-force attack of addresses on your server.

-Matt
0
 
LVL 1

Expert Comment

by:ljkal
ID: 24711200
try this fix from a related article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Q_23342741.html?sfQueryTermInfo=1+2003+clear+exchang+how+queue

Also, try dropping the timeout allowed for sending messages in the default SMTP server.  I dropped mine to 10 mins then they started spitting them back to the senders inbox and cleariung from the queue.
0
 
LVL 1

Expert Comment

by:ljkal
ID: 24711564
Go to the Exchange System Manager - you server (whatever that may be), Protocols - Default SMTP server then drop your message timeout to 1 minute which will have the result of sending the emails back to the postmaster or legitimate sender.  Just watch out for the high amount of NRD's doesn't over stretch your Exchange!!!  When the queu has cleared rise the timeout level again.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question