Why are my Outbound Queues Filling up with Mail that we didn’t send?

If your emails are building up on your Exchange 2003 server and you don’t recognise any of the destination address then you have got a problem and need to resolve it.   To work out what your problem is, please double-click into one of the unknown domain name queues, then click on the Find Now button and then double-click into one of the messages that are returned.

Look at the sender of the message.  If the sender is postmaster@yourdomain.com, you are suffering from a Non Delivery Attack.  If the sender is a random user not in your organisation, then you are suffering from an Authenticated Relay attack.

Non Delivery Attack:

To prevent a Non-Delivery Attack, please turn on Recipient Filtering to reject recipients not in your organisation:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

The reason for this is that you are currently accepting messages for anyone at yourcompany, even made up names.  If the recipient does not exist, your server is sending a Non-Delivery Report back to the sending email address and as spammers usually make up the sender address, the email message will not be able to go anywhere as the domain is invalid.  Some of the email addresses that spammers use will be valid email addresses and thus some Non-Delivery report mail will get sent out to people who did not send an email to you in the first place and they will potentially report you as a spammer.  Mail of this type is known as Backscatter and this can get you Blacklisted.  Please see  http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more details.

If you also turn on Recipient Filtering, your server will reject recipients that are not setup on your server and the sending mail server will be responsible for sending a Non Delivery Report, not your server, thus shifting the problem back onto the spammer – http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

Another tool that you can use to slow down spammers is to implement something called Tarpitting which forces a delay into the mail-flow process for anyone sending mail to an invalid address on your server.  This means that anyone targetting your server will spend lots of time waiting for a response from your server, slowing them down – http://support.microsoft.com/kb/842851

Authenticated Relay Attack:

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).

Cleanup:

A really useful tool to help clear up the queues very quickly is Aquadmcli.exe which can be downloaded from ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

Once downloaded – run from a command prompt and then use the following commands to empty the queue based on the sender address:

delmsg flags=sender,sender=sender@domain.com

To delete ALL messages in your queues, type the following:

delmsg flags=all

A good document to help you cleanup if you don’t like the above idea is – http://www.amset.info/exchange/spam-cleanup.asp

Once you have cleaned up – please return the logging level back to None.

About Me

I co-own a small independent IT Consultancy called IT Eye Ltd who provide support, consultancy, e-mail hosting solutions & server / workstation / network installations for the SMB (Small and Medium sized Businesses) marketplace.   We provide consultancy / support services to Businesses that are large enough to need IT systems, but that don’t require a full-time member of staff employed to manage their IT systems.  As a result, we are extremely cost effective and can save companies thousands of pounds on their annual IT spend.

We are based in the South-East of England in the Beckenham, Chislehurst & Eltham areas but we regularly travel to London and areas within the M25, sometimes beyond (we used to support a company in Jersey!).   We can also remotely support any computer that is connected to the Internet (we have remotely supported several US based computers and also one on Australia, although I won’t be rushing to repeat that experience as the connection was a little bit on the slow side) and offer fixed price annual support contracts starting from £140 per PC.  You will find me regularly posting on Experts Exchange: http://www.experts-exchange.com/M_4926565.html where I have been active since May 2009.

I have recently migrated an Exchange 2003 Server in Kansas to Exchange 2010 with zero downtime and all done remotely.

If you have a Microsoft server that is in need of an upgrade / migration, then you will be in safe hands.  I have performed numerous SBS / Exchange / Windows migrations, both locally and remotely all around the world.

HIRE ME! I have extensive knowledge of a wide range of Microsoft Products, predominantly Microsoft Exchange and Windows Server products, and can support existing installations, integrate new servers into existing configurations or setup / configure new brand new environments.  You can contact me directly by email at alan @ it-eye.co.uk or you can visit our website at http://www.it-eye.co.uk.