Spam relaying & messages in queue 1

[blt975]

I have determined over the past day or so that someone has been SMTP relaying thru my company's server to send spam. I have already taken the corrective measures to secure & lock-down the open relay.

My problem is that when I realized what was going on, I went immediately to Exchange system manager and found literally thousands of messages sitting in queue on the SMTP virtual server. Obviously I want to delete all of these messages so that they dont go out - I am not sure why they are sitting in queue either. The way I caught the relay spamming was because I couldnt send mail out to AOL or Hotmail accounts. Either because my IP has been added to the Mail Abuse list or because of all these spam mails hung up in queue.

I know that you can go to each queue and enumerate messages then delete all messages in the queue with or without sender notification. But my problem is that there are practically 500 or more queues for all the multiple domains to which the spam was trying to be sent. I'm wondering if there is any other way to enumerate and delete messages from queues other than having to go to each of the 500 or more queues and deleting the messages. I'm also curious as to why all these messages are stuck in queue to begin with. Any advice is appreciated. Thanks.

Brian

 

[Xybertron]

Maybe the server couldn't keep up. DNS resolution might be real slow? Or just multiple recipients thus it caused lots more outbound than inbound?

Not sure of a way to enumerate all queues at the same time. Dan
Microsoft Exchange Support @ Microsoft

 

[SooN2bCCIE]

I have this same issue.
I am not a open relay but everyday i have like 20 messages sitting in my ques retrying and i have to delete them..
Any ideas?

 

[VOIPeng]

Check your DNS setting for Exchange and set them for dependable DNS servers that you have a good speed connection to. To do this:
Configure the SMTP service to use external DNS servers. To do so, click SMTP Virtual Server, click the Delivery tab, click Advanced, and then click Configure Thank you,
Frank Mirecki
BrantTel Networks

 

[SooN2bCCIE]

Thanks Frank,

After configuring external DNS servers does this automatically enable it or do I need to check another tab.
Also this ques have changed since 5.5, How do you check mails coming in waiting to be delivered.

Thanks,

Kevin

 

[VOIPeng]

As soon as you enter the DNS servers you they should be enabled, you might have to stop and start the SMTP service for the SMTP service to use the new DNS servers. Incoming messages that have yet to be delivered will be shown in the System Manager -> Administrative Groups -> # Administrative Group -> Servers -> servername -> Protocols -> SMTP ->SMTP virtual Server -> Queues in the Queue with your domain name you it will list the # of messages awaiting delivery.

Thank you,
Frank Mirecki

 

[JBruyet]

I have an off-thread question that relates to messages in the queue. I was checking my queues out of curiousity and I discovered several entries that were partial URLs. Here's an example:

stderr.inboxbargains.com(Remote delivery)

I can't delete these items but I can freeze them so I did that for now. BUT, what are these from? What is the "Remote delivery" about since I have relaying disabled on my server? And more importantly how do I get rid of them?

Thanks,

Joe Brouillette

 

[pgisclair]

I JUST figured out how to clear the SMTP Virtual Server Queue of junk:

Try Right-Clicking on Default SMTP Virtual Server(or whatever you named it), and choose Stop. Wait a minute and Start it again. Highlight Queue and press F5/Refresh. They should all be gone. That worked for me.

Perry.

 

[lengoo]

Yep, I had the same problem.. see my post..

http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/15/pid/858/qid/536957

Stop the virtual server and you can go to the Exchsrvr directory on your Exchange server. There is a queue folder somewhere.. just delete them all.. if you can't do that.. you can delete the offending items as you can get the name that they correspond to in the queue folder by looking at them in the queue properties.. however, if you have loads of messages it's gonna take ages.. I just removed the whole lot as I had 3000 spam messages!

And by the way, go to ordb.org, if your Exchange server has been acting as a relay you may find that your emails are getting block particularly for domains which have antispam controls and refer to this database

 

[Tomasykes]

I have had the same probelm too. I simply selected to send all mail through my ISPs relay. therefore I only had one SMTP connector, instead of one for each outgoing mail domain. This solved the problem.

 

[jsd2003]

Follow-up question for the experts:
Could the messages being queued for delivery be NDRs that don't have a valid address to reply to?

 

[lengoo]

Yes, if you enumerate the messages you can see what's being sent out and you're quite right.. I myself found a load of NDRs my system was trying to send out.. just delete them all!!

 

[larsjuhl]

I had same problem 13000 mails waiting to go out and blocking all traffic...
changed my mail connector to forward to hos 99.99.99.99 and waited for 10 minutes, then went in to the que and found all mails in the same que and the deleted all.

Anyone have a program to scan my server for vulnabilities ? I tried Shadow Security scanner and it reports that anyone can send via my server which I believe is not true...

 

[cbodnar]

lengoo:

When I navigate to my C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue directory it is empty. I have looked on other Exchange servers, and none of them have anything in this directory either, even though these servers exhibit the same symptoms you describe (large number of queues, with many NDRs). I would like to try you suggestion, but there is nothing to delete in this directory.

Can you shed some light on this?

Chris

 

[jsd2003]

Use Exchange Manager. Servers/<servername>/Protocols/SMTP/Default SMTP Virtual Server/Queues

 

[SPeeDyT71]

Thx frank mirecki,

Thats a great tip .. helped me a lot