How to help secure the Internet Mail Service and clean up after unsolicited commercial e-mail or spam abuse (324059)

MORE INFORMATION

Exchange Server Service Pack 1 (SP1) introduced the ability to close an open relay. Exchange Server Service Pack 3 (SP3) is the first service pack to allow the secure configuration to occur in the GUI.

To follow these configuration instructions, you must have Exchange Server SP3 or later installed on your Exchange Server computer.

How to Help Secure Your Open Relay

1. Open the Properties dialog box for the Internet Mail Service.
2. Click the Routing tab. The two radio buttons in this window provide two different ways to help secure your server:
   • Reroute Incoming SMTP Mail (required for Post Office Protocol version 3 (POP3)/Internet Message Access Protocol, Version 4rev1 (IMAP4) support)
     
     This method requires additional configuration.
     1. For each domain that you want to be able to accept SMTP mail, click Add, type the domain information, and then make sure that you have selected Should be accepted as inbound.
     2. Click Routing Restrictions.
     3. To help secure the relay, click to select the Hosts and Clients with these IP addresses check box.
   • Do Not Reroute Incoming Messages
     
     Warning Although this method is a valid way to help secure the Internet Mail Service and it does generate non-delivery reports (NDRs) back to the sender, this method makes it possible for your server to be added to spam lists. Spam list servers check your computer to verify if your computer accepts a message for an invalid user when your computer receives the rcpt to: command. If your computer accepts the message, the spam list server considers your computer to be an open relay and it does not run any other tests.
     
     You can use this method alone to help secure your server against open relay abuse. After you select this option, your SMTP server accepts and processes all the messages that it receives, and it returns messages that cannot be delivered locally to your organization. This process can put a heavy load on your server if someone decides to abuse your server with a flood of non-local message traffic because your server processes all SMTP messages that are submitted to it. This is a final configuration and you do not have to configure any additional settings.

After you select one of these two options, all the SMTP messages that are submitted to the server are verified as local upon submission. This helps secure the relay and you do not have to do any additional configuration unless you have one or both of the following situations:

• You have POP3/IMAP4 users who must be able to send mail. If this is the case, click to select the Hosts and Clients that successfully authenticate check box. The clients that connect must then authenticate before they can send messages. If you do not include this in the configuration you may receive the following error message:
  5.7.1 - Relaying Denied NDR
  For additional information about how to configure Outlook and Outlook Express, click the article number below to view the article in the Microsoft Knowledge Base:

  197869 XCLN: Routing Restrictions Require SMTP Authentication

• There is at least one other server that must be able to relay through this server. If this is the case, follow these steps:
  1. Click Hosts and Clients with these IP addresses, and then click Add.
  2. Type the IP address of the server that you want to be able to relay through this Exchange server.
  The mask in this setting is an IP address mask instead of a subnet mask. If you are not sure of this setting and want to permit access for a single IP address, at step 2 type 255.255.255.255. If you want to permit access for a range of addresses later, you can specify the range based on the subnet mask, in other words, the network. For example, the entry 192.168.1.0 with a mask of 255.255.255.0 includes the whole subnet (network).
  
  Important Do not include the range of addresses that includes the Exchange server. If you add the range that includes the server as a member, you may make the server an open relay.

What to Do If There are Thousands of Messages in the Queue

If the UCE abuse of your server was in progress when you locked down your SMTP relay, you may have a huge number of messages in the queue. To clean up these messages:

1. Stop the Internet Mail Service.
2. Locate the Exchsrvr\Imcdata folder (make sure that you have the correct folder, because the working directory may exist on a different drive than the C drive if you have used the performance optimizer). If you open the Out folder in this directory, you may see thousands of items, and it may take a while for this folder to open in Windows Explorer. Each of these items is a raw e-mail message that is waiting to be delivered, and you can open and review these items by using Notepad or another text editor.
3. To quickly bring the server back to working order:
   1. Rename the Out folder in Exchsrvr\Imcdata to Out.old.
   2. Create a new folder and name it Out.
   3. In the Exchsrvr\Imcdata folder, delete the Queue.dat file. The Queue.dat file is the work queue and may be safely deleted because Queue.dat is re-created when you restart the Internet Mail Service. When you delete the Queue.dat file, you cause the Internet Mail Service to enumerate the physical queue directories and notice that messages have been removed from the queue.
   4. Start the Internet Mail Service.

At this point, there are two ways to separate valid messages from UCE messages in the Out.old folder:

• Faster method: Sort by using the message size column header in the Out.old folder and remove the culprit.
• More accurate method: Open a UCE message, find a string of text that is unique to the UCE message, and then perform a search for all messages that contain this string by using the Containing text field in the Search window.

After you separate the valid messages from the UCE messages:

1. Make sure that the queues have been flushed, and then stop the Internet Mail Service again.
2. Move the valid messages into the new Out folder, and then delete the Queue.dat file again.
3. Start the Internet Mail Service.

This procedure replays and delivers the messages that you moved back into the folder for delivery.

What to Do After You Have Locked Down the Relay and Cleaned Up

Even after you have locked down the relay and cleaned up the queue, you may experience some unwanted side effects. Many SMTP servers use a feature to help protect their users from receiving UCE (spam) messages. When you make a connection, a remote server checks the connecting IP address (yours) against a list of known open relays and may refuse your connection if your IP address belongs to a block list. You IP address may belong to a block list if your server has been used as an open relay. The following list shows some of the Web sites that may put your mail server on a block list. If you use only one of these sites, use the first one that is listed. This site automatically checks several Domain Name System Block List sites.

• http://www.moensted.dk/spam/
• http://www.dnsstuff.com
• http://www.openrbl.org
• http://www.dsbl.org
• http://www.mail-abuse.com
• http://postmaster.info.aol.com/
• http://www.spamcop.net
• http://ordb.org

Note Malicious users and others who use UCE continue to find new ways to use services that would typically be considered as "locked down." This article describes methods to combat all the ways of exploiting services that were known at the time that the article was published.

Suggested Reading

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base: