Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deleting messages in oubound messages awaiting delivery

Status
Not open for further replies.

mattmc97

IS-IT--Management
Dec 4, 2003
51
US
Hello all.

I have a problem. Apparently someone started using my 5.5 server as a relay sometime this past week. Well I started manually deleting my "Outbound messages awaiting delivery" and have been deleting 50 - 100 spam emails at a time for over 30 minutes and it says I still have 10,000 emails awaiting delivery. This has totally shut down my outgoing mail for all of my users.

Is there a file/folder/directory these are stored in that I can get to from Win Explorer and just delete them all?

I found some help on turning off the relay ability but nothing on a quick way to delete files. It seems that if I try to delete to many at a time, it may just lock up exchange and I have to force close it.

thanks.

mattmc
 
You need to open en IMS connector in the Exchange Administrator and open the outbound mail Queue (tab Queues)

From there you can inspect, retry and flush outbound messages.

Have Fun!

Strike_2
 
the Q folder is \exchsrvr\imcdata\out
you can delete the messages all at once, but you could loose legit mail.

LZ
 
thanks guys. I went ahead and deleted them manually 1000 at a time and then just waited for it to refresh, it took all afternoon but I finally got it done.

BUT...

New issue now. I had figured out that someone was using my email server to relay messages and I had over 10000 emails sitting in my outbound waiting to be delivered box. Well I got those all cleaned out and figured that is why I could not email out. Any way, now we can still receive but cannot send any emails. Nothing has changed on the router or on the server that I know of.

Any ideas on what would be causing this?

thanks in advance.

mattmc
 
Just one server/ one site. It was working fine until Thursday or Friday and I got a report that somebody could not send out email. Well on Monday I got a report that three more people could not send out and that is when I figured out my outbound box was full of spam. So I deleted them all and thought that would fix it.

I was checking the services on my server and I see that Microsoft Exchange Directory Synchronization and MS Mail Connector Interchange are both set to manual and are not currently started. Could one of these be the problem???

thanks.
 
The service in question here is the IMS or MSEXCIMC.exe

Did you make any chnages to the IMS while locking it down to prevent others to relay?
 
do you get any non-delivery report? coul'd it be that you are black listed and you mail is being rejected by SPAM filters?
go here and put in your IP address to see if you are listed.

LZ

ps, these services are not related to IMS
 
Are the outbound messages sitting in the queue, or are they leaving the queue?
 
No I do not get any non delivery report. I was wondering about getting blacklisted.

Here is what I got from that site:

Results: Positive=4, Negative=27 (2004-03-02 14:30:36 UTC)
DSBL/dsbl.org: 553 DSBL Insecure host [Remove]
NJABL/njabl.org: 553 NJABL relay tested -- 1077764411 [Remove]
PSBL/surriel.com: 553 PSBL Spam received [Remove]
LNSG/swbell.net.dialup: INET 127.0.0.2
Negative 27: @COUNTRY @DYNAMIC @ISP @SPAM AHBL BLARS BOGONS BONDED BOPM CBL DRBL FIVETEN INTERSIL JIPPGMA NOMORE ORDB PSS REYNOLDS RFC_IPWH SBL SORBS SPAMBAG SPAMCOP SPAMRBL SPAMSITE SPEWS UCEPROT

Does this mean I am black listed?? If so, would that prevent me from emailing even my yahoo mail account, cause that doesn't even work??? If yes to both, then what do I have to do to get off this list??

Stupid Spammers!!!!!!!!!!!!!!

thanks

mattmc
 
What I did was follow the directions for Routing Restrictions under IMS.

Before it had:

Hosts & Clients that successfully authenticate
Hosts & Clients that have these IP Addresses -> Blank
Hosts & Clients that have a connection to this internal address -> 192.168.208.1

Now it only has:
Hosts & Clients that successfully authenticate

thanks.

mattmc
 
First of all, make sure you are clean and relay is disabled.
Then click on remove button where available and follow the instructions.
If auto remove is not appears, you'll have to go to each list home site and ask for removal.

If you have postmaster/abuse accounts available at your domain check their mailboxes.
Also consulting your ISP might be helpful.

LZ
 
Help! Now there is more SPAM in my outgoing box! What in the sam hill is going on??

What do I need to turn off to get relay turned off?

When I got here at 7:30 it was empty and now I have a couple of thousand more spam!!!!!!!!!!!

help me please!!!!

mattmc
 
I think I am getting a reverse DNR attack now! I have been searching the web and this is what it appears to be because if I look at the details, it says host unreachable.

Anyone have experience with these???

thanks.

mattmc
 
Try changing your Routing Restrictions under IMS.

Now you have:

Hosts & Clients that successfully authenticate

Change to:
Hosts & Clients that have these IP Addresses -> Blank

Also,
I strongly recomend you put your Exchange behind firewall. Spend $350 and install XWall, you'll see the difference.
 
Could someone from inside sending these? Maybe an infected machine?


Consider seriously changing your IP for start. It'll give you some time to find out what is cooking.

LZ
 
Noktar said:

***********

Try changing your Routing Restrictions under IMS.

Now you have:

Hosts & Clients that successfully authenticate

Change to:
Hosts & Clients that have these IP Addresses -> Blank
*************

I thought if I did this it would allow everyone or maybe no one since it was blank.

I am the victim of reverse NDR or DNR attack now it seems, it is not coming from inside and it is not a virus, we have virus scan.

As far as a firewall, we have a cisco 2600 series router and I checked it at a firewall checker site and it said my protection was excellent. This is the only problem we have had to my knowledge and we have to let port 25 so we can get email.

thanks

mattmc
 
The only way to fight a reverse DNR attack is with 3rd party software. If you purchase a good spam filter you'll also be able to block the attachments, subjects, etc. which are related to the Netsky, Beagle, and MyDoom virii at the spam filter before it hits Exchange.

We use XWall and I've been watching most of the day today as it both fends off repeated attempts at a reverse NDR attack (up to 420 messages per hour attempted) and blocks all the attachments related to the various virii which are making nuisances of themselves these days.

Cheers.

 
I solved this problem using linux and a mail system called postfix. I now have a spam filter and virus filter as well and best of all it was all FREE! Visit or search google for scott henderson's anti-spam mail server for a guide to set this up.

My linux server now forwards my mail to exchange which delivers it. It catches about 90% of SPAM and no more reverse NDR attacks.

Good luck to anyone else who has this problem!

mattmc
 
Microsoft has a patch for this - go to Microsoft and look for this patch.

Exchange5.5-KB841765-x86-enu.EXE

It worked for us..
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top