On my Exchange 2003 server there are several SMTP queues that appear to be spam relay attempts but as I have checked the server from several sources to verify we are not an open relay I am wondering how to get rid of these strange queues completely. It appears that the server accepts the message but will not relay it - just dumps it. How can I stop this altogether?

On my Exchange 2003 server there are several SMTP queues that appear to be spam relay attempts but as I have checked the server from several sources to verify we are not an open relay I am wondering how to get rid of these strange queues completely. It appears that the server accepts the message but will not relay it - just dumps it. How can I stop this altogether?


What is making you think they are spam relay attempts? If the server is set to disallow relaying then I don't think they will even appear in the queue.

Are you sure they are not NDR's generated by your Exchange Server in response to emails received for non-existant address on your domain? I am getting a lot of these at the moment due to the large amounts of virus emails arriving with spoofed address and also addressed to non-existant accounts.

emr

Are there messages in the queues? That may give some information as to where they're coming from.

I am having these same types of emails show up in my Exchange 2003 server queue's.

The messages are originated from postmaster@ourdomain.com

They are going to places like, whyyoushoulddateme.com and other places that our users wouldn't be sending to.

There are usually only one message per domain, sometimes a few. I have to go in and manually delete them.

I too have setup all the non relay settings and checked for open relays.

Any advice would be greatly appreciated!!!

I think what is happening here from viewing on the 2003 servers I've been installing is an e-mail is coming in to an unknown address for example Spamlist@domain.com, as the e-mail server cannot deliver it attempts to send back to the sender (eg spammer@spammers.com).

This e-mail will be coming from postmaster@domain.com, if you are using DNS to send e-mails from your server and the return domain has been removed/doesn't exist, the mail server will create a queue and attempt to re-send.

So, its not a relay attempt, merely an NDR to a non-existent domain.

I think what is happening here from viewing on the 2003 servers I've been installing is an e-mail is coming in to an unknown address for example Spamlist@domain.com, as the e-mail server cannot deliver it attempts to send back to the sender (eg spammer@spammers.com).

This e-mail will be coming from postmaster@domain.com, if you are using DNS to send e-mails from your server and the return domain has been removed/doesn't exist, the mail server will create a queue and attempt to re-send.

So, its not a relay attempt, merely an NDR to a non-existent domain.

This certainly makes sense. Is there anything I can do to get rid of these? I don't like have messy queue's

Thanks for the info!

This certainly makes sense. Is there anything I can do to get rid of these? I don't like have messy queue's

Thanks for the info!

Yeah, you can delete them.... not near a 2003 at the moment but if memory servers (pardon the pun) me correctly, then you right click the queue, select details/properties, search (or find now) and then right click on the found messages and delete. Once the queue is empty it should disappear.

If this is wrong I'll post tomorrow when I can get access to a 2003 server.

JT

Yeah, you can delete them.... not near a 2003 at the moment but if memory servers (pardon the pun) me correctly, then you right click the queue, select details/properties, search (or find now) and then right click on the found messages and delete. Once the queue is empty it should disappear.

If this is wrong I'll post tomorrow when I can get access to a 2003 server.

JT

You are correct with deleting them, that is how you do it. I was hoping there was a way to make them go away without having to delete them everyday.

If you're logging the IP of SMTP connections you can go into the SMTP server and deny those IP blocks from accessing the server completely. I've got half of europe and china blocked in mine. :D

You *could* tweak the retry timings of your smtp server. I tend to do this so a message retrys often over a short period of time so that office workers get 'message failed' notifications the same day they sent the message.

On the bussiness side this means they know the information has to be sent another way or they have to check they used the right address details. By default I think the message is tried for 7 days or something daft.

The other effect of this is your NDR's are dropped from the queue quicker so they're less likely to bother you.

The down side is that if the destinations mail server or your leased line is out for 7 or 8 hours many emails will be failed... but then I think its better to acknowledge those kind of issues and let the user resend the email.


Just checking my main exhange server and I see that I configured it for 10minute retries for the 1st, 2nd and 3rd attempt then every 15 minutes.
Delay notification after 3 hours and expiration after 6.

You *could* tweak the retry timings of your smtp server. I tend to do this so a message retrys often over a short period of time so that office workers get 'message failed' notifications the same day they sent the message.

On the bussiness side this means they know the information has to be sent another way or they have to check they used the right address details. By default I think the message is tried for 7 days or something daft.

The other effect of this is your NDR's are dropped from the queue quicker so they're less likely to bother you.

The down side is that if the destinations mail server or your leased line is out for 7 or 8 hours many emails will be failed... but then I think its better to acknowledge those kind of issues and let the user resend the email.


Just checking my main exhange server and I see that I configured it for 10minute retries for the 1st, 2nd and 3rd attempt then every 15 minutes.
Delay notification after 3 hours and expiration after 6.

Thank you for the suggestion, I may give that a try!