Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

sbs 2003 Exchange 2003, How to tell where mail is getting in the queue from

My exchange server queues keep filling up with a bunch of junk spam mail.  It is addressed like it is coming from the postmaster on our server but it isnt.  I have verified that i am not a open relay.  I tried 3 different open relay tests and they all pass.  We get our emails only through postini and i only allow their server ip addresses to forward into our server through the firewall.  But i cant figure out where it is coming from.  I just deleted over 180000 spam messages from the queue.  The worst part is it keeps getting us blacklisted.  Most companies are pretty nice and remove us quickly from the list but i'm sure they arent going to keep being that nice if i cant figure it out.
0
charles18602
Asked:
charles18602
  • 3
  • 2
  • 2
  • +2
1 Solution
 
tobywestonCommented:
Is it possible to get an example of the headers in one of these emails?
0
 
GeodashCommented:
Verify your MX record and SPF record at http://www.kitterman.com/spf/validate.html

SPF record, if you don't have one in place, should help alleviate this.
0
 
GeodashCommented:
In case you do not know what an SPF record is - read here -

http://en.wikipedia.org/wiki/Sender_Policy_Framework
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
GeodashCommented:
Also, do you use any kind of inbound/outbound SPAM filter?
0
 
chakkoCommented:
that could be a NDR type of attack.

In the Exchange IMF you can select a checkbox to disable NDR for a little while and see if that stops it.

this page shows where to turn it off

http://www.emailquestions.com/microsoft-exchange/311-disable-ndrs-exchange-2000-2003-a.html
0
 
Larry Struckmeyer MVPCommented:
Agreed that the most likely is NDR.  It is also possible that some bot has addressed mail directly to the IP address of your server, not the mx record, in which case it would bypass your off site filters.  The headers should tell you.
0
 
Alan HardistyCo-OwnerCommented:
Disabling NDR's is against RFC standards so please do NOT turn them off.

Your problem by the sounds of it is NDR spam which means Postini are not rejecting mail destined for Invalid Recipients.

You should find that you are listed on www.backscatterer.org and you can determine this on www.mxtoolbox.com/blacklists.aspx

You either need to get Postini to filter invalid recipients for you or stop using Postini and use another provider who can filter invalid recipients.

As soon as Postini accepts an email destined for an Invalid account and passes it on to you, your server becomes responsible for sending back an NDR.  If they reject emails destined for invalid Recipients, then the sending server is responsible for the NDR and thus your problem will go away.

Alan
0
 
chakkoCommented:
I would just turn off the NDR to control the problem for now.  You can turn it on later to deal with the problem more permanently.
0
 
Alan HardistyCo-OwnerCommented:
I would suggest tackling the source of the problem, rather than digging yourself a bigger hole by turning off NDR's.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now