Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003 (886208)


The information in this article applies to:

  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

You experience one or more of the following symptoms on your Microsoft Windows Small Business Server (SBS) 2003-based computer:
  • The Microsoft Exchange Server 2003 server queues contain many outgoing messages that are waiting to be delivered to external addresses. In this scenario, each of these e-mail messages has postmaster name@name of your e-mail domain.com in the From field.
  • Your Internet service provider (ISP) notifies you that your Exchange server is delivering unsolicited commercial e-mail (UCE). UCE is also known as spam.
  • When you visit the Internet from the Windows SBS 2003-based computer or from a computer that is on the local area network (LAN), Internet access is very slow.
  • The Store.exe process and the Inetinfo.exe process use lots of CPU time and lots of available memory.
  • If you stop the Simple Mail Transfer Protocol (SMTP) service, Internet access times are faster, and the Store.exe process and the Inetinfo.exe process return to their typical levels of CPU and memory usage.
  • The drive that contains the BadMail folder runs out of space. By default, the BadMail folder is located in the "C:\Program Files\Exchsrvr\Mailroot\vsi 1" folder.

CAUSE

This issue occurs if your computer is the target of a reverse non-delivery report (NDR) attack.

RESOLUTION

To resolve this issue, create a recipient filter to prevent Exchange Server 2003 from accepting messages that are sent to recipients who do not exist. To do this, follow these steps:

Step 1: Determine whether the messages in the queues are NDR messages

  1. Start the Exchange System Manager program.
  2. Expand Servers, expand your Exchange server, and then click Queues.
  3. In the right pane, click a queue that contains many messages, click Find messages, and then click Find Now.
  4. View the Sender field of the returned items. If the sender of the message is postmaster name@name of your e-mail domain.com, the message is an NDR message. Double-click the message to view the external recipient of this message.
Follow steps 3 through 4 to view the messages in other SMTP queues. If most of the messages are from postmaster name@name of your e-mail domain.com, you may be experiencing a reverse NDR attack. If most of these messages are not from postmaster name@name of your e-mail domain.com, your computer may be configured as an SMTP open relay or it may be the target of an authenticated relay attack. For additional information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

324958 How to block open SMTP relaying and clean up Exchange Server SMTP queues on SBS

If your computer is configured as an open SMTP relay, or if you computer is the target of an authenticated relay attack, you do not have to continue to "Step 2: Configure recipient filtering in Exchange 2003". However, if your computer is the target of a reverse NDR attack, create a recipient filter to prevent Exchange Server 2003 from accepting messages that are sent to recipients who do not exist. To do this, continue to "Step 2: Configure recipient filtering in Exchange 2003".

Step 2: Configure recipient filtering in Exchange Server 2003

In the default Exchange configuration, e-mail that is sent to name of your e-mail domain.com is accepted as local regardless of the e-mail alias that the message is addressed to. The e-mail alias is the part of the e-mail address that is on the left side of the at (@) symbol. If an e-mail message is sent to an alias that is not valid, the Simple Mail Transfer Protocol (SMTP) service receives the whole message, and then queries the Active Directory directory service for a user or a distribution group that has a matching e-mail alias. For example, if an e-mail message is sent to invalid user name@name of your e-mail domain.com, SMTP queries Active Directory for a user or a distribution group that has the invalid user name@name of your e-mail domain.com alias. However, if the e-mail alias does not exist, Exchange tries to send an NDR to the original e-mail message sender. This can cause many messages, queues, or both, to appear in Exchange System Manager.

After you enable recipient filtering, Exchange validates the e-mail address before Exchange accepts the e-mail message. In this scenario, if no match for this e-mail alias appears in Active Directory, an NDR is still generated. However, in this scenario, it is the responsibility of the sending SMTP server instead of your Exchange server to generate and to deliver the NDR.

Note Recipient filtering is only available in Exchange 2003 Server.

To configure recipient filtering, follow these steps:
  1. Start the Exchange System Manager tool.
  2. Expand Global Settings, right-click Message Delivery, and then click Properties.
  3. Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.
  4. When you receive the following message, click OK:Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.
  5. Expand Servers, expand your computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  6. On the General tab, click Advanced.
  7. Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.
Note If you are running Exchange in a front-end/back-end environment, recipient filtering must be enabled on the SMTP bridgehead server or servers.

After you enable recipient filtering, a certain technique may be used against your Exchange server to gather information about the valid e-mail addresses in your organization. This technique is known as a Directory Harvest Attack.

For additional information about how to help prevent this kind of attack, click the following article number to view the article in the Microsoft Knowledge Base:

842851 A security update is available to help prevent the enumeration of Exchange Server 2003 e-mail addresses

Step 3: Clean up the Exchange queues

Remove the UCE from the SMTP queues on your computer. To do this, follow these steps:

Warning During this process, all messages that are destined to external SMTP recipients are deleted. Internal e-mail messages and incoming e-mail messages from the Internet are not affected. These settings are temporary, and the typical mail flow is restored after the Exchange SMTP queues are cleaned up.
  1. Start the Server Management tool.
  2. Expand Advanced Management, expand your Exchange organization, and then click Connectors.

    Note This procedure requires an SMTP connector.
  3. Use one of the following methods:
    • If your Windows SBS-based computer does not have an SMTP connector, you must create one. To create an SMTP connector, follow these steps:
      1. Right-click Connectors, point to New, and then click SMTP Connector.
      2. In the Name box, type temporary smtp connector.
      3. Click Add, click your Windows SBS-based computer in the Server box, and then click OK.
      4. Click the Address Space tab, and then click Add.
      5. Click SMTP, click OK, leave the asterisk in the E-mail domain box, and then click OK.
      6. Click the General tab.
    • If your Windows SBS-based computer has an SMTP connector, you must modify the connector. Typically, the Windows SBS SMTP connector is named SmallBusiness SMTP connector. To modify this connector, follow these steps:
      1. Right-click this connector, and then click Properties.

        Note If you have more than one SMTP connector, work with the one that contains an asterisk in the SMTP address space on the Address Space tab.
      2. Click the General tab, and then note all the settings that are listed on this tab. You must restore these settings after you clean out the Exchange queues.
  4. Click Forward all mail through this connector to the following smart hosts, type an IP address that is not valid, and enclose it in square brackets. For example, type [99.99.99.99].
  5. Click the Delivery Options tab, and then click Specify when messages are sent through this connector.
  6. In the Connection time list, click Run daily at 11:00 PM, and then click OK.
  7. In the left pane of the Server Management tool, expand Servers, expand your Windows SBS-based computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Stop.
  8. When the Default SMTP Virtual Server has successfully stopped, right-click Default SMTP Virtual Server, and then click Start.
  9. After the Default SMTP Virtual Server has successfully started, wait for about 10 minutes.

    Note When you restart the default SMTP virtual server, it re-enumerates the e-mail messages and puts them in a single queue for the Windows SBS SMTP connector that you configured.
  10. In the left pane of the Server Management tool, expand Servers, expand your Windows SBS-based computer, and then click Queues.
  11. Note the total number of messages that appear next to the Windows SBS SMTP connector that you configured. This number must stabilize so that you can remove all the e-mail messages at the same time.
  12. Every 15 minutes, right-click Queues, and then click Refresh.
  13. Repeat step 12 until the number of messages in the Windows SBS SMTP connector queue remains constant.
  14. In the right pane, right-click the Windows SBS SMTP queue, and then click Find messages.
  15. In the Number of messages to be listed in the search box, click an appropriate number to let you remove all the messages at the same time. For example, if you have 900 messages that you want to remove, click 1000 in the Number of messages to be listed in the search box.
  16. Click Find Now.
  17. In the Search Results list, select all the messages. To do this, click a message, and then press SHIFT+PAGE DOWN.
  18. Right-click the selected messages, and then click Delete (no NDR).
  19. When you receive the following message, click Yes:Are you sure you want to delete messages in the queue?Note If you are removing many messages, the removal process may take a long time.
  20. After the messages are successfully removed, close the Find Messages connector name dialog box.
  21. Right-click Queues, and then click Refresh.
  22. Note the total number of messages that appear next to the Windows SBS SMTP connector that you configured. This number must be zero.
  23. Repeat steps 21 and 22 about every 5 minutes to make sure that the Windows SBS SMTP queue remains at zero messages. If the number of messages in the Windows SBS SMTP queue increases, Exchange Server 2003 is still processing messages for external delivery. In this scenario, continue to update the display until the number of messages in the Windows SBS SMTP queue stabilizes.
  24. Repeat steps 14 through 23 until the number of messages in the Windows SBS SMTP queue remains at zero. In this scenario, the Exchange Server 2003 SMTP queues have been cleaned of all the UCE.
After you have cleaned the Exchange SMTP queues, restore your SMTP connector configuration to its original settings. If you created a temporary SMTP connector, remove it. To do this, follow these steps:
  1. In the left pane of the Server Management tool, expand Connectors, right-click temporary smtp connector, and then click Delete.
  2. When you receive the following message, click Yes:Are you sure you want to delete 'temporary smtp connector'
Note After you modify or remove the SMTP connector, you must restart your SMTP virtual server.

If the Exchange queues fill with outgoing messages that are waiting to be delivered to external recipients after you complete this process, your computer may be configured as an SMTP open relay, or your computer may be the target of an authenticated relay attack. For additional information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

324958 How to block open SMTP relaying and clean up Exchange Server SMTP queues on SBS

MORE INFORMATION

People who send UCE to e-mail recipients have discovered a method to work around the e-mail filters that are built into many e-mail messaging systems. In this scenario, the people who send UCE try to take advantage of the delivery status notification functionality in the e-mail server. In a typical e-mail messaging system, an NDR delivery status notification message is generated when an e-mail message cannot be delivered. Additionally, this NDR message typically contains the content of the undeliverable message. This behavior follows the RFC standards. Therefore, most messaging systems behave this way.

The person who sends UCE uses this NDR message to deliver UCE. This kind of UCE delivery is known as a reverse NDR attack. This kind of UCE delivery works in the following way:
  1. Unsolicited commercial e-mail is created with the destination recipient's e-mail address in the Sender field of that e-mail message.
  2. A fictitious user name together with your domain name is added as the recipient of this e-mail message.
  3. This unsolicited commercial e-mail message is sent to your domain.
  4. Your e-mail server accepts this message because it is sent to your domain.
  5. Your e-mail server cannot deliver this message because the recipient does not exist.
  6. Your e-mail server sends an NDR to the person who appears as the sender of this message. In this scenario, the person who appears as the message sender is the external recipient that receives the NDR from the postmaster account. The person who sends the UCE puts the intended recipient of the UCE in the Sender field of the message. Therefore, the intended recipient receives the NDR from the postmaster account in your e-mail domain.
  7. The NDR is sent to the external e-mail address from the postmaster address of your domain. This NDR may contain the original UCE message.
  8. The unsuspecting user might read this NDR together with the UCE message. Therefore, the UCE message has been delivered successfully to the external recipient who is listed in the Sender field of the original e-mail message.
For additional information about related topics, click the following article number to view the article in the Microsoft Knowledge Base:

823866 How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003

Modification Type:MajorLast Reviewed:12/16/2004
Keywords:kbenv kbtshoot kbprb KB886208 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.