Re: SMTP Connectors with massive queues .. How do i stop this?

From: Les Connor [SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 05/10/04 

Date: Mon, 10 May 2004 08:53:56 -0500

Hi Scamps,

Your server will accept email for non_existent_user@yourdomain.com. When
Exchange cannot deliver the email because the user doesn't exist, it (
Postmaster@yourdoman.com ) turns around and sends a NDR (non delivery
report) to the sender. Most of the time, the senders email address and
domain are fake, and the NDR cannot be delivered. Hence the queues fill up.
Trying to block these fake domains will do you no good.

Here are some suggestions:

Do this first:

In article 324958, check out the section entitled: "Clean Up the Exchange
Server's SMTP Queues" for the steps you can use to clean up the queue(s).

324958.KB.EN-US HOW TO: Block Open SMTP Relaying and Clean Up Exchange
Server SMTP
http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958

then:

(If you don't use Trend, just ignore those parts - the Exchange parts are
still relevant.)

Without any third party apps except Trend CSM - here is what I use.

1. Exchange

a) Internet Message Format

Advanced Tab

Disallow:
Out of Office responses
Automatic replies
Automatic forward
Delivery Reports
non-delivery Reports
Allow:
Preserve sender's display name on message.

b) Message Delivery > properties

Sender Filtering Tab

Filter messages with blank sender
Drop connection if address matches filter

Recipient Filtering Tab

Filter recipients who are not in the directory

c) Default SMTP Server

| General | Advanced | Edit (all unassigned)

Apply Sender Filter (although I have no filters presently)
Apply Recipient Filter
Apply Connection Filter (although I have none of these either, presently)

Messages Tab

Send copy of NDR reports is blank.

2. Trend Scanmail eManager

a) Antispam

Enabled
Threshold: High
Action: Quarantine
Notifications Button: None
Approved Senders Button: I have had to add a few to the list, but not many -
mostly list subscriptions.
Blocked Senders Button: None - useless against a reasonably competent
spammer.

b) Content Filter
Anti-spam, hoaxes, chainmail, and Melissa Virus enabled.
The other items will do a *lot* of blocking - too much when your threshold
is set to high.

c) Update

The automatic updates don't work. No reason, no error. But the Update button
does. I've been meaning to take this up with Trend, but haven't yet looked
into it. There are reasonably frequent updates, and they do make a
difference. I update whenever I think of it, generally at least monthly.

d) Log Files

Log files are daily, set to delete after 30 days. The reporting is useful
here, especially for initial tuning.

3. Scanmail

a) Options

Attachment Blocking is *not* enabled in Scanmail, but it is in Exchange. I
think you want to go with one or the other, not both. I may turn off
attachment blocking in Exchange, and instead do it in Scanmail as there are
more options in scanmail.

Virus actions are set to delete, delete, delete, delete.

b) Active Message Filter

Filter Inbound Messages *see Outlook section for a note.

c) Notification

virus scan - windows event log only
outbreak alert - email me, and event log.
attachment blocking - windows event log.

d) Quarantine Manager

This is where you go to check on the blocked items, including eManager spam
blocked mail. You spend some time here initially tuning things for your
environment.

Quarantine Maintenance is set to delete at 7 days. Works well. 

-- 
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
"Scamps" <anonymous@discussions.microsoft.com> wrote in message
news:ac3001c43691$b83ba150$a501280a@phx.gbl...
> I am a Small Business User of SBS2003 with no time to be
> dealing with exchange mail issues. I have between 5 and 8
> users, yet there are two SMTP connectors that now have
> 16,000 and 70,000 queued messages. The messages appear to
> be being sent by my own exchange postmaster. Today My
> server has been slowing down so that SQL server
> transactions are three or four times slower than normal
> and it has been thrashing the disk non stop until I
> stopped the default SMTP server. Now the server disk is
> quiet and the SQL transactions have returned to normal
> speed.
>
> q1. Why is this happening. these two websites
> (codehot.co.uk and techsniper.com) are unknown to me or
> the other 5 people in the office
> q2. how can I stop any emails from them getting in to the
> server
> q3. how can I stop my postmaster repeatedly trying to
> answer them back
> q4. What is the impact of me stopping the virtual SMTP
> server. does it mean that none of our emails get out of
> the organisation?
>
> In desparation
> Scamps
> PS - can we rename SmallBuisnessServer as Ifyouhavelots
> ofITSkillsThenBuyThisServer