Why are my Outbound Queues Filling up with Mail that we didn’t send?

If your emails are building up on your Exchange 2003 server and you don’t recognise any of the destination address then you have got a problem and need to resolve it.   To work out what your problem is, please double-click into one of the unknown domain name queues, then click on the Find Now button and then double-click into one of the messages that are returned.

Look at the sender of the message.  If the sender is postmaster@yourdomain.com, you are suffering from a Non Delivery Attack.  If the sender is a random user not in your organisation, then you are suffering from an Authenticated Relay attack.

Non Delivery Attack:

To prevent a Non-Delivery Attack, please turn on Recipient Filtering to reject recipients not in your organisation:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

The reason for this is that you are currently accepting messages for anyone at yourcompany, even made up names.  If the recipient does not exist, your server is sending a Non-Delivery Report back to the sending email address and as spammers usually make up the sender address, the email message will not be able to go anywhere as the domain is invalid.  Some of the email addresses that spammers use will be valid email addresses and thus some Non-Delivery report mail will get sent out to people who did not send an email to you in the first place and they will potentially report you as a spammer.  Mail of this type is known as Backscatter and this can get you Blacklisted.  Please see  http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more details.

If you also turn on Recipient Filtering, your server will reject recipients that are not setup on your server and the sending mail server will be responsible for sending a Non Delivery Report, not your server, thus shifting the problem back onto the spammer – http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

Another tool that you can use to slow down spammers is to implement something called Tarpitting which forces a delay into the mail-flow process for anyone sending mail to an invalid address on your server.  This means that anyone targetting your server will spend lots of time waiting for a response from your server, slowing them down – http://support.microsoft.com/kb/842851

Authenticated Relay Attack:

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).

Cleanup:

A really useful tool to help clear up the queues very quickly is Aquadmcli.exe which can be downloaded from ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

Once downloaded – run from a command prompt and then use the following commands to empty the queue based on the sender address:

delmsg flags=sender,sender=sender@domain.com

To delete ALL messages in your queues, type the following:

delmsg flags=all

A good document to help you cleanup if you don’t like the above idea is – http://www.amset.info/exchange/spam-cleanup.asp

Once you have cleaned up – please return the logging level back to None.

Advertisements

36 Responses

  1. Thanks, this helped me greatly! I had an authenticated relay going on and I was unaware. I had pulled my hair out trying to figure out how the spammer was relaying and it turned out he was authenticating on one of my users accounts.

  2. Good afternoon, any ideas on how to do it in Exchange 2010??

  3. Saved my day after not having a clue as to why my exchange server was getting massive queues.

  4. I just setup a new EX2010 box and am having the same problem with lots of “undeliverables”.

    However, every message’s “From” is ” “.

    Not an open relay, so what is that about?

    • If the sender is “” then you are not Filtering Invalid Recipients and will be sending NDR messagesback to spammers (Backscatter) and you might end up being listed on http://www.backscatterer.org.

      If you only have a Hub Transport / Mailbox / Client Access Server (no Edge Transport Role), then you can either install the Exchange Anti-Spam Agents (http://technet.microsoft.com/en-us/library/bb201691.aspx) and enable Recipient Filtering at the very least, or try a 3rd party Anti-Spam solution like Vamsoft ORF (www.vamsoft.com), which is an excellent, low cost, low resource, excellent product (which I use) and is much more flexible than the inbuilt Anti-Spam agents (IMHO).

  5. Hi Alan: I have followed your steps but am not getting Event ID 1708 in Event Viewer, so I can’t seem to figure out which account has been compromised. The offending emails are going out as “jobs@careerbuilder.com ” but no matter what I do I can’t generate a 1708 to figure out which is the affected account. Any suggestions? GREAT ARTICLE BY THE WAY.
    Thanks in advance

    • Hi Arif,

      Did you check to see if you were an Open Relay on http://www.checkor.com?

      If you are not seeing a 1708 error, it might be an Outlook account using RPC over HTTPS that is infected. Do you have Outlook clients configured over RPC/HTTPS?

      Alan

      • Hi Alan. Thanks for the lightning fast response. I checked the mail Server on CheckOR.com : here is a sample of the output:

        220 mail.XXXXX.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 11 May 2012 17:30:34 -0600
        HELO ortest.checkor.com
        250 mail.XXXXX.com Hello [8.23.XXX.XXX]
        RSET
        250 2.0.0 Resetting
        MAIL FROM: test@checkor.com
        250 2.1.0 test@checkor.com….Sender OK
        RCPT TO: test1@checkor.com
        550 5.7.1 Unable to relay for test1@checkor.com

        RSET
        250 2.0.0 Resetting
        MAIL FROM:
        501 5.5.4 Invalid Address
        RCPT TO: test1@checkor.com
        503 5.5.2 Need Mail From: first

        RSET
        250 2.0.0 Resetting
        MAIL FROM: spam@XXX.XXX.161.244
        250 2.1.0 spam@XXX.XXX.161.244….Sender OK
        RCPT TO: test1@checkor.com
        550 5.7.1 Unable to relay for test1@checkor.com

        So it looks like i have shutdown the open relay correctly, right? I may have a user or two connected via RPC/HTTP but I am not sure whi they are. I am okay with shutting ALL relaying off (if possible) as long as users can still receive and send email as long as they are Exchange connected, such as via OWA and still receive email on their Blackberries and iPhones (Exchange or OWA only) Any thoughts?

        Sorry, I am not very well versed in Exchange troubleshooting.

        Thanks again, in advance. Great Blog by the way.

      • You are welcome.

        So you are not an Open Relay – were you before?

        RPC/HTTPS users are not affected by relaying as mail is send directly from the server not to and then from the server.

        If you are an authenticated relay, my blog here gives you a quick fix:

        https://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

        If changing the authentication doesn’t improve things, you may have a virus infected computer on your network.

      • Hi Alan. Have used your fix to disable Basic & Integrated Windows Authentication on our SMTP Virtual Server. Cleared the Queue, and will keep you posted. I am not sure if I was an Open Relay before, but I did see a post you made on Experts Exchange recommending to make sure that 127.0.0.1 was not permitted to relay through our server, so I did follow that instruction as well. I will monitor over the weekend and post back. Thanks for all your help so far. Just followed you on Twitter, too.

  6. If you see anything else pop up, just post again and I’ll see what else I can do to help. Keeping my fingers crossed.

    After changing the authentication – I hope you restarted the Simple Mail Transfer Protocol Service.

    • Thanks for the reminder. Just did it. You have been a great help, and are an excellent resource for the rest of us. Much, much appreciated.

  7. Always a pleasure – thanks for your kind words.

  8. Hi Alan,

    This article was a great help in cleaning up our problem. We found the offending account and changed the password. Started & stopped the Virtual SMTP Server and were still getting outgoing spam. We then deleted the account altogether and it seems to have resolved our spam problem (fingers crossed).
    Regards,
    Graham

  9. Alan

    Thanks this is the best article I have found, you help find the offending account I also had to disable the account a password change didn’t do it. However, it was an outdated account that should have been removed.

    • Hi Bill,

      Thanks for your comments. They are very much appreciated.

      Too late now, but if you had restarted the Simple Mail Transfer Protocol Service, disabling the account wouldn’t have been necessary. That would have stopped the spammer from sending temporarily, then they would have to provide credentials again and as they are now changed, they would be unable to provide the correct details and thus can’t abuse your server any more.

      Alan

  10. Thank you very much, this helpded me track down the account wich was used to relay on our server!
    Very well written down in a nice and clear way!

    Many thanks from the netherlands

  11. perfect!!!! queue was at 80,000. blacklists everywhere… so much work to do still after this. thank you so much.

  12. This was an awesome article and a very kind author. It saved my @$$.

  13. Thank you Alan, i was been facing Authenticated Relay Attack, and i found the user in my Active Directory which used to send spams after reading your article, every 2 days my queue was filled with over than 5000 emails, again, thank you a lot and keep it up.

    Greeting from Jordan.

    Ashraf.

  14. Im facing this problem with Exchange 2013, but I do not see the 1708-
    although I’m not sure I’ve properly enable the smtp logging, I have all send and receive connectors logging set to verbose-
    is there any other way of tracking this? all the from addresses are

  15. I think* I maybe onto something , in ex 2013 , event 17025 consistently shows an account sending “mail” to bogus addresses , is this perhaps the equivalent of 1708 on previous versions?

    • One way to find out – reset the password and restart the Microsoft Exchange Transport Service.

      What is the account name? Do you know if the password is an easy password?

  16. It also appears that this same user’s office computer is infected , could it be his machine and not necessarily his account that is doing it?

  17. Actually I was looking at the wrong field, the sender is null
    From Address:
    Status: Ready
    Size (KB): 310
    Message Source Name: DSN
    Source IP: 255.255.255.255

    But I do have recipient filtering enabled;

    [PS] C:\Windows>Get-RecipientFilterConfig | Format-List Enabled
    Enabled : True

    Could it be the infected computer on the LAN casuing this?

  18. But my Poison Queue (which I empty every day) does from address- so I may have a double issue, a comprised account, and compromised PC

  19. […] Why are my Outbound Queues Filling up with Mail that we didn’t send? […]

  20. I tried doing what you showed but to no available. After clearing the Queue and BadMail folders and restarted SMTP Server, the BadMail folder started loading crap from postmaster@mydomain.com instantly. I don’t understand how this happened as I already scanned the server and all my workstations for malware and everything else. Perhaps it’s residing within Exchange itself? Any help?

    • Sometimes there is to much mail for Exchange to show and once you have cleared the queues, the mail in Exchange will then flow into the queues.

      You may have to clear the queues several times before they start to show up empty.

      Have you tested to see if you are an open Relay?

      Alan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: