SBS 2003 Exchange 2003 queues filling up what to do?

tourist08
tourist08 used Ask the Experts™
on
Hello I was wondering if anyone can give me some recommendations on how to stop our Exchange server queue filling up with NDR emails and maybe some best practices when it comes to spam.  

Our environment is this.  We have domains hosted on a godaddy server and the mail is forwarded to our office through our cisco asa 5505 firewall to our SBS 2003 Server with Exchange.  Our antispam engine is Bitdefender.  

Usually about a couple days a week we'll get emails sent to our server for a non existing email address then our email will try to send an NDR but of course the address/ip is spoofed so they all get stuck in the queue.  That's an NDR attack right?  I know this sounds like a stupid question but should I just disable Allow non-delivery reports?  My main concern is that legitimate mail might come in with maybe the wrong address (mistyped) and not send an NDR to that person.  So it seems that there might be a lot of assuming going on when it comes to getting emails or not.  Any suggestions would be appreciated.  And awarded points if it fixes my problem.  Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Oh I also have apply recipient filtering enabled on exchange so I was under the impression that would have solved my problem.  

Author

Commented:
You know what, l to add a little more info.  I have two kinds of senders in the messages that are queued.  One is the postmaster@mydomain.local and the other is not an email address from any of our domains.  Is the second email address a concern for open relay?  I've tested our machine and had someone else test it too and it seems that the exchange server is not an open relay.  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please have a read of my article - essentially you need to turn on recipient filtering so that you stop sending out the NDR messages and the sender then becomes responsible for sending out the NDR:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
thanks for replying.

I do have recipient filtering on but that doesn't seem to be stopping the postmaster emails.  

I have turned on the logging so now I guess I just wait and see.

I have been going through many articles for the past week and noticed that they say in  the relay section of the smtp server the box should be clear and the allow all computers... should be unchecked. by default mine has Only the list below selected and in the box it has 127.0.0.1 and my servers internal ip.  also allow all computers which successfully authenticate to relay, regardless of the list above is checked.  should allow all computers... be checked? and ultimately should the box for listed computers be cleared also?
I just didn't want to change the settings that started adding problems instead of fixing them.  I'm a one man IT solution.  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please remove 127.0.0.1 from the allowed relay list and restart smtp service.  You don't need it in the list.

If users outside the organisation use smtp/pop3 to send mail then you need the allow all regardless, but if they are setup with https over RPC, then you can untick that box to. You may have scanners / copiers that need to send emails, so bear this in mind as they will need some sort of access.

Author

Commented:
As for our email clients.  We have some clients on the same network as the exchange and another office that connects through a vpn tunnel through our cisco firewall to the exchange network. and we do have OWA open as well.   So does that sound like I should keep allow all regardless checked?

Author

Commented:
Also it seems that we get hit with this email queue problem after work hours so I was thinking of changing the delivery time to about a half hour after I get into work so that spam mails aren't getting sent out and I'm not getting black listed( just got blacklisted by att).  does that sound like a wise idea?  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You should be fine as your clients are internal / connected via VPN.

What does AT&T list as the reason for your listing?  A virus spamming the world or similar?

Author

Commented:
Ok I'll make the changes and see what happens.  

As for AT&T if you read the NDR you get from them it directs you to their request to remove block site and then after you fill out the information they send you this email.  So hopefully the suggested adjustments that you recommended fix my problem.  

Dear Administrator:

Thank you for contacting the AT&T Postmaster.

The mail server IP address(es) associated with your request will be
removed from the block list within 24-48 hours from the date of
this notification.  AT&T, Bellsouth, SBC and any affiliates do NOT
intentionally block legitimate mail in the course of our anti-spam
initiatives and regret any inconvenience this may have caused.  If
the IP that was recently blocked begins to exhibit the
characteristics of a compromised network object or is compromised
by an offender of Acceptable Use Policies, the IP address will be
blocked again.

ADMINISTRATORS:  Please thoroughly check your IP logs before
requesting removal.  You must determine that all traffic from the
blocked IP is actually from your mail servers to ensure your
network is not compromised.  Administrators who fail to do this may
experience subsequent and more resolute blocking.

Thank you for helping the AT&T WorldNet Services network combat
spam in all its forms.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Don't de-list from the AT&T lists until you know your environment is clean.

Make the changes, cleanup the queues and then monitor the blacklisting sites to make sure you don't seem to be sending fresh spam.

For cleanup, please read this article:
http://www.amset.info/exchange/spam-cleanup.asp

Author

Commented:
Ok so I was just looking through my app logs and noticed this smtp protocol event id 7512.  Can you tell me what this means?  Side note, I replaced our actual server name with ServerName and the email account with ouruser@ourdomain.com.  The email account is actually an account that is disabled but we are forwarding the accounts email to someone else.    

The message with ID <ServerNameQGTADnsP00000566@ServerName.ourdomain.local>,
 P1 From smtp:ouruser@ourdomain.com, Subject  Tell me how you live, as a new wife?
"Your Russian friend"., from remote host "ServerName"   was Rejected/Deleted by Intelligent
Message Filter. This is an informational event and does not indicate an error.

So does this mean that the user account is hacked?  And/or is our server hijacked?  All too confusing man!!!  


Author

Commented:
Ok so this morning I'm noticing in our spam quarantine that their are a couple of our email accounts sending spam to themselves.  can anyone explain to me what that might mean?  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Spam from your own domain is quite typical and is called spoofing.

Any good anti-spam software should be able to cope with this type of spam and eliminate it, but to help, you can setup an SPF record (sender policy framework) that will publish the authorised IP's / domain names that are authorised to send mail for your domains.

If you check SPF for inbound mail and the sender is not listed, the mail will get rejected as spam.

Visit www openspf.org for details and their wizard.

Author

Commented:
alanhardisty
Hey would any of those recommendations that you gave me cause  smtp connections to get stuck in the exchange queue? (see below)  
Because now it seems that exchange cannot connect to aol.com and mail is getting stuck in the queue.  

Please remove 127.0.0.1 from the allowed relay list and restart smtp service.  You don't need it in the list.

If users outside the organisation use smtp/pop3 to send mail then you need the allow all regardless, but if they are setup with https over RPC, then you can untick that box to. You may have scanners / copiers that need to send emails, so bear this in mind as they will need some sort of access.

Author

Commented:
But if I restart the Default smtp server the email will go through.  Thoughts?  Sorry if I'm being neurotic I just want to get this resolved so I no longer dream about emails and spam mails.  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Mail may get stuck in your queues because you will probably be blacklisted because you are sending spam.  You can check on www.mxtoolbox.com/blacklists.aspx

Author

Commented:
I've pretty much checked every blacklist in the world and our IP doesn't show up anywhere.  And the mail to aol will send if I restart the smtp virtual server.  every other email domain will work fine.  and the funny thing is our registered static ip's are from at&t and we are being blacklisted by at&t.  you think they'd just close our account or something.  

Author

Commented:
I forgot to mention that the email messages now stuck that are going to aol are legitimate email. not spam.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If restarting smtp server sends the mail, that sounds like antivirus software interference or updates missing.

Author

Commented:
No it seems the problem is  by unchecking the allow computers which successfully authenticate, regardless of the list above. once rechecked it will send.  but will that now allow the return of sending spam mail from my server?  
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Most probably, if you are an authenticated relay.

Have you tugned up the diagnostic logging?

Author

Commented:
I turned on the logging specified in the link you gave me in your original reply
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Just now or earlier?

Any useful logs showing accounts being used to relay?

Author

Commented:
I started the logs right after I read your initial post.  I've been looking for 1708 authentication id's for smtp and nothing yet.  but then again I haven't had any problems since I started the post.  
Co-Owner
Top Expert 2011
Commented:
Okay - if your problems are solved - is there anything more you need?
If mail is not going out with the relay of 127.0.0.1 removed, put it back and keep an eye on the queues.

Author

Commented:
For right now I think i'm set.  I going to watch over the weekend and if all is well  I'll accept your solution on Monday.  thanks again for your help
Alan HardistyCo-Owner
Top Expert 2011

Commented:
No problems - fingers crossed it stays problem free.
Alan

Author

Commented:
Thanks for your help.  It looks like removing the relay for 127.0.0.1 worked.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
For the benefit of others, the Author comment on closing was:
Thanks for your help. It looks like removing the relay for 127.0.0.1 worked.  

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial