NDR spam on exchange 2003

MARKWILKY
MARKWILKY used Ask the Experts™
on
Hi

I have a problem with a customer server, I cant stop the exchange queues getting larger and larger.
I think we have been NDR attack.

I have searched internet and tried everything i can find but they still keep coming.

I have checked if open relay, checked al PC and servers for viruses, and also  gone though sembee cleaning up after NDR attach.

I seem to be getting thousand of email in queue every few mins.  I have blocked port 25 and now using a none existing smart host but still getting  lots. I have even ran Microsoft tool -  Exchange Support Tools / Aqadmcli ....... this delete queue but they then starting filling up again, so i ran again but keeps happening

Has anyone any ideas please





 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please read my article and check to see if you are an Authenticated relay - if so - you have an abused user / password and my article will help you to clear this up:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html 
It is not entirely clear what you are looking at int he queue's:  locally generated or responses to something coming in.  On the wild chance that you have NDR's enabled, you will want to disable them:
http://support.microsoft.com/?kbid=294757

Author

Commented:
hi
 they are coming from postmaster so it must be a Non Delivery Attack:

but

I have already setup Recipient Filtering and the tarpiiting

NDR was enabled , I have disabled and restarted all exchnage and smtp services.

I will monitor over next few mins.

Is there anything else i can check or try
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Author

Commented:
still getting thousand of mail in queue ......

most of time have a time submitted of over a week a go

when i delete more appear

any ideas anyone please
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Download a trial of Vamsoft ORF - www.vamsoft.com - brilliant Anti-Spam software which should prevent more spam arriving in floods.  If you decide to keep it after the 30 days, it will only cost you $239 as a one-off cost.
You can clean up your queues by referring to the cleanup part of my article which links to Mestha's site.

Author

Commented:
i have blocked port 25 so i shouldnt be getting any more ....also i have cleaning up the queue for hours now and still thousande there..... is there not an easier way of clearing the queues

and heko would be grateful
Alan HardistyCo-Owner
Top Expert 2011

Commented:
One way to clear up the queues is to modify your default SMTP Connector to send to a smart host of [99.99.99.99] and then all the queues will drop into a single queue.
Tell your users to stop sending mail for a while.
Then change your SMTP Virtual Server retry settings to 2 minutes from 10 / 15 minutes (for all settings - make a note so you can put the same settings back later) and after about 2 -3 minutes, your mail queues will start to automatically empty.
After a little while, you should be back to an empty queue, at which point you can reverse your changes and tell your users they can send mail again.

Author

Commented:
Thanks for your help but i am already doing that , all users in bed , it 2am here , im remotely connected...

I guess i am already doing everything i can, i will just have to keep going and deletiing mails... most of deleted hundreds of thousand already ...

thanks
Alan HardistyCo-Owner
Top Expert 2011

Commented:
I am UK based, so feeling your tiredness : )  Bed is calling for me soon.
If you follow the above advice, you should not have to delete a single email - they will automatically purge themselves.

Author

Commented:
i am not deleting form queue i am using the aqadmcli delmsg flags=all commands

but i wish the queue woulod say zero

Author

Commented:
can you not just delete everything in the vsi 1\queues folder.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
The problem is that mail sits elsewhere in memory and gets put into the queue because it is still being processed by the server.
When spammers send their crap, they flood the server with thousands of messages and they take time to show up in the queues.
 

Author

Commented:
ok mate , thanks

i keep clearing queues then

Alan HardistyCo-Owner
Top Expert 2011

Commented:
You can carry on or just follow my advice, and then sit back and let it happen automatically.  It's your call, but trust me, it works and is effortless.

Author

Commented:
sorry , i have missed something ....

how
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Have a look at my comment above http:#33149689 - clearly you can ignore the tell your users to stop sending mail part as they should all be tucked up in bed!
I'm heading off - so have a quick read and if you have any questions, get them in quick.
also, just as a check, you do have spam filters in place, i.e. spamcop.net and spamhaus ????  I find those two take out 90% of the spam coming at the mail servers.

Author

Commented:
hi , sorry , i have now changed the time out to 2 mins  on smtp VS.

so i check tomorrow to see if cleared

Author

Commented:
i woke up this morning with 120 thousand in the queue ..,.
I am hoping that once these have been removed the issue will be resolve.....
Co-Owner
Top Expert 2011
Commented:
Did you follow my advice to the letter?

Author

Commented:
I think so , It all sorted now, Thanks for your help.....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial