sbs 2003 Exchange 2003, How to tell where mail is getting in the queue from

My exchange server queues keep filling up with a bunch of junk spam mail.  It is addressed like it is coming from the postmaster on our server but it isnt.  I have verified that i am not a open relay.  I tried 3 different open relay tests and they all pass.  We get our emails only through postini and i only allow their server ip addresses to forward into our server through the firewall.  But i cant figure out where it is coming from.  I just deleted over 180000 spam messages from the queue.  The worst part is it keeps getting us blacklisted.  Most companies are pretty nice and remove us quickly from the list but i'm sure they arent going to keep being that nice if i cant figure it out.
Who is Participating?
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Disabling NDR's is against RFC standards so please do NOT turn them off.

Your problem by the sounds of it is NDR spam which means Postini are not rejecting mail destined for Invalid Recipients.

You should find that you are listed on and you can determine this on

You either need to get Postini to filter invalid recipients for you or stop using Postini and use another provider who can filter invalid recipients.

As soon as Postini accepts an email destined for an Invalid account and passes it on to you, your server becomes responsible for sending back an NDR.  If they reject emails destined for invalid Recipients, then the sending server is responsible for the NDR and thus your problem will go away.

Is it possible to get an example of the headers in one of these emails?
Verify your MX record and SPF record at

SPF record, if you don't have one in place, should help alleviate this.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

In case you do not know what an SPF record is - read here -
Also, do you use any kind of inbound/outbound SPAM filter?
that could be a NDR type of attack.

In the Exchange IMF you can select a checkbox to disable NDR for a little while and see if that stops it.

this page shows where to turn it off
Larry Struckmeyer MVPCommented:
Agreed that the most likely is NDR.  It is also possible that some bot has addressed mail directly to the IP address of your server, not the mx record, in which case it would bypass your off site filters.  The headers should tell you.
I would just turn off the NDR to control the problem for now.  You can turn it on later to deal with the problem more permanently.
Alan HardistyCo-OwnerCommented:
I would suggest tackling the source of the problem, rather than digging yourself a bigger hole by turning off NDR's.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.