Cleaning Up the Exchange 2003 Server’s SMTP Queues after NDR attacks

On May 7, 2010, in How-to, by Cubert aka (Cube Dweller)

Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet unless they are from the spammer continuing to try and abuse your server.

Capturing the Messages Into a Single Queue

This process requires an SMTP connector for all addresses. If you don’t already have one (with a * on the namespace tab) then you need to create one using the instructions below. 
If you already have an SMTP Connector with a * on the namespace tab, then you can use it for this process. You will need to adjust the settings as appropriate. You may wish to just make a note of the settings, delete the connector and create a new one for this process. When complete recreate your live connector.

  1. In ESM, Connectors.
  2. Find default SMTP connector, select properties and then select “Address Space” Edit the SMTP entry and make it a cost of 2.
  3. Right click on connectors and choose New, SMTP Connector.
  4. On the “General Tab” type a name for the connector. “Spam Cleanup” or similar.
  5. Click the “Add” button under “Local Bridgeheads” and choose your Exchange server.
  6. Click on the “Address Space” tab.
  7. Click “Add” and choose SMTP. Leave each setting (* and cost of 1) and press ok.
    If all the spam is to one domain, then you could remove the * and enter the domain that the messages are being sent to. This should leave legitimate messages in the queue.
  8. Click on the General tab again. Change the option in the centre from DNS to “Forward all mail through this connector to the following smart hosts”.
  9. Enter an invalid IP address in square brackets:  [99.99.99.99].
  10. Click on the “Delivery Options” tab and ensure that “Specify when messages are sent through this connector” is selected.
  11. Change the option to 11pm. (If it is close to 11pm when you are doing this, use a much earlier time – 6am or similar. The time doesn’t matter as long as it is not close).
  12. Press Apply/OK to close the SMTP Connector dialogue.
  13. Restart SMTP Virtual Server.
    1. Expand Servers, <your server>, Protocols, SMTP.
    2. Right click on the “Default SMTP Virtual Server”
    3. Choose “Stop”. This may take a few minutes.
    4. Once it has stopped, right click again and choose “Start”.

The Exchange SMTP virtual server is now processing all the messages and placing them in to a single queue for your SMTP connector. This can take some time. You may want to wait until the number of messages in the queue stays constant before attempting the next stage.

Exchange 2000: The queues can be found in Servers, <your server>, Protocols, SMTP.

Exchange 2003: The queues can be found in Servers, <your server>, Queues.

Deleting the Messages

Now that the messages are in one queue, it is quite easy to delete them

Exchange 2003

  1. Right click on this connector and choose “Find Messages”.
  2. In the drop down box select the number of messages to be listed in the search.
  3. Click “Find Now”.
  4. Once the search is complete, select all of the messages (use the shift-page down key combination)
  5. Then click “Delete all Messages (No NDR).

Exchange 2000

  1. Right click on this connector and choose “Delete All Message (No NDR)”
  2. Select Yes when asked if you want to delete all the messages in the queue.

Once the messages have been deleted, which could take some time, refresh the queues to ensure that they don’t continue to build. If they do then Exchange is still processing the messages. You will need to repeat the procedure to delete more messages until the queues are completely clear and stay at zero.

Once you have flushed out the messages, undo the changes that you have made.

If it was a new SMTP connector, delete it.
If you adjusted an existing connector, put the settings back how they were. Don’t forget the time on the “Delivery Options” tab. it should be “Always Run”.

Finally restart SMTP virtual server to get Exchange to start using the new settings.

Tagged with:
 

2 Responses to “Cleaning Up the Exchange 2003 Server’s SMTP Queues after NDR attacks”

  1. […] Cleaning Up the Exchange 2003 Server’s SMTP Queues after NDR …May 7, 2010 … Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound … […]

  2. Mauridio says:

    Excelent guide friend, very glad… regards.

Leave a Reply