A large number of messages are pending in the e-mail server send queue.
For this issue, we have to know what messages are in the pending submission
queue first. Please start ''Exchange System Manager'' and expand to Queues
under your Exchange Server. Please check if there are any messages stuck in
the specific queue. If so, is it the "Messages pending submission" queue?
Please check where these messages are sent from and will be sent to. Is the
sender address or destination address in your email organization? Please
also check "Additional queue information" in the right pane to see the
possible reason why the e-mails queued up there. Please paste the
information back here.
The most possible cause is the Exchange SMTP server is set to open relay. I
would like to suggest checking this settings via the following KB article.
324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP
http://support.microsoft.com/?id=324958In addition, I would think this is an NDR attack issue. Spammers have a new
means to avoid filters built into many systems. They take advantage of a
mail systems sending of a non-delivery report (NDR) when a message cannot
be delivered as addressed and returns the original contents. Since this
follows the RFC standard, most all mail servers will function this way.
This is what is called a "Reverse NDR attack" (RNDR). This form of attack
is becoming increasingly widespread. Some users get it so badly that over
33% of their Internet messages are attributed to this type of spam. The end
result is the spammer has attained a new form of mail relaying. Your
server''s resources are being stolen to deliver spam.
How does a "Reverse NDR" attack work?
Step 1 Spam e-mail is created with the intended spam victim''s address in
the sender field and a random, fictitious recipient, at your domain, in the
To: field.
Step 2 Your mail server cannot deliver the message and sends an NDR e-mail
back to what appears to be the sender of the original message, the spam
victim.
Step 3 The return e-mail carries the non-delivery report and possibly the
original spam message. Thinking it is e-mail they sent, the spam victim
reads the NDR and the included spam.
What are the symptoms of a RNDR attack?
1. Sluggish e-mail delivery
2. Outbound queues full of non-delivery notices
3. Excessive admin time to clear outbound queues
If you are experiencing any of the above, chances are good your mail server
is under attack.
To stop the RNDR from happening, you can try either of the following
methods:
1. Follow the steps below to enable recipient filtering on the SMTP virtual
server:
NOTE: When you enable recipient filtering on the SMTP virtual server,
e-mail messages that are received from anyone on the recipient filter are
not accepted. Recipient filtering is set globally, but you enable it on a
per-Virtual Server basis on each SMTP virtual server.
- To create a recipient filter:
A. Click "Start", point to "Programs", point to "Microsoft Exchange", and
then click "System Manager".
B. Expand "Global Settings", right-click "Message Delivery", and then click
"Properties".
C. Click the "Recipient Filtering" tab, and then click the checkbox "Filter
recipients who are not in the directory" at the bottom.
D. Specify any additional filter options that you want to configure. Select
Apply, and then click "OK".
- To enable recipient filtering on the SMTP virtual server:
A. In Exchange System Manager, expand "Servers", expand "<ServerName>", and
then expand "Protocols".
B. Expand "SMTP", right-click "Default SMTP Virtual Server", and then click
"Properties".
C. Click the "General" tab, and then click "Advanced".
D. In the "Address" list, click the IP address where you want to apply the
recipient filter, and then click "Edit".
E. Click to select the "Apply Recipient Filter" check box, click "OK", and
then click "OK".
NOTE: Recipient filter rules apply only to anonymous connections.
Authenticated users and Exchange servers bypass these validations.
2. Another option is to set Exchange to not send NDR''s globally by going
into Exchange System Manager -> Global Settings -> Internet Message Formats
and right-click on "Default" on the right ( the one with the * ) and click
Properties. Click the Advanced tab and uncheck "Allow non-delivery reports".
Please note that there are consequences to both methods:
1. Implementing recipient filtering - Exchange will check to see if the
user exists prior to accepting an incoming message. This solution "may"
allow the "bad guys" to determine which email addresses are valid on your
domain. Also, this type of filtering will increase the processing overhead
of incoming messages (in SBS environments, that should not be a big
problem).
842851A software update is available to help prevent the enumeration of
Exchange 2003 e-mail addresses
http://support.microsoft.com/?id=842851A2. Turning off NDR''s - This will impact the business as if a legitimate
person on the Internet "typos" an email address when sending to your domain
(like Mary_oops_Jones@xxxxxxxxxxxxxx
<mailto:Mary_oops_Jones@xxxxxxxxxxxxxx>), he will NOT get an NDR and will
have no notification that the user did not get the message.
You will need to understand the implicatons of the 2 methods above and
determine which is appropriate.
Furthrmore, following article may help you to secure your exchange network.
Antispam Capabilities in Exchange Server 2003
http://www.microsoft.com/exchange/techinfo/security/antispam.aspExchange Server 2003 Security Hardening Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en
