RE: Can not stop junk e-mails send from our server

Hi Bogdan,

Thank for posting in our newsgroup.

Based on my research, the e-mails are saved in c:\ Exchsrvr\Mailroot\vsi
1\UCEArchive folder when the SCL rating in above a specified threshold.
To fix this, we can no longer archive the e-mails or set the SCL to lower
value.

To do this:

1. Open Exchange System Manger.
2. Double-click Global Settings.
3. Right-click Message Delivery, and then click Properties.
4. Click the Intelligent Message Filtering tab.
5. Under Gateway Blocking Configuration, change SCL to a lower value.
6. You can also select When blocking messages to Reject.

For the e-mails in c:\ Exchsrvr\Mailroot\vsi 1\queue folder, please take
the following steps to check if the mails are NDRs.

1. Start the Exchange System Manager program.
2. Expand Servers, expand your Exchange server, and then click Queues.
3. In the right pane, click a queue that contains many messages, click
Find messages, and then click Find Now.
4. View the Sender field of the returned items.

If most of the messages are from postmaster email of your e-mail domain.
you may be experiencing a reverse NDR attack.

To resolved this, please take the following in the following KB:

Exchange queues fill with many non-delivery reports from the postmaster
account in Small Business Server 2003
http://support.microsoft.com/?id=886208

Also please check if your Server is in an open-relay state, you can refer
to the "Determine Whether the Exchange Server Is an Open SMTP Relay"
section of the following Knowledge Base article to reconfirm this:

HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP Queues
on SBS 2000
http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958

If it's in an open relay status, please configure the Exchange Server to
block open SMTP relaying:

To check the properties on the Default SMTP Virtual Server, follow these
steps:

1. Click Start, click All Programs, click Microsoft Exchange, and then
click System Manager.
2. Expand Servers, expand Servername, expand Protocols, and then expand
SMTP.
3. Right-click Default SMTP Virtual Server and then click Properties.
4.Click the Access tab.
5.Click the Relay button at the bottom.
6. The default settings block open relay. The default settings are as
follows:

Select Only the list below.

The Computers dialog box shows Access Granted to the Internal IP address
of the Small Business Server network and to the external IP address (if the
server has more than one network card.)
Make sure that Allow all computers which successfully authenticate to
relay, regardless of the list above is selected.

7. Set the Default SMTP Virtual Server configuration for relaying as
indicated, which restores its settings to their defaults.

Step 2: Check the properties for the SmallBusiness SMTP Connector, follow
these steps:

1. In the Exchange System Manager, expand Connectors, and then locate the
SmallBusiness SMTP Connector.
2. Right-click the SmallBusiness SMTP connector (or on the connector name
that you manually created), and then click Properties
3. Click the Address Space tab
4. The default settings (when this connector is created by means of the
Small Business Server 2000 Internet Connection Wizard) block open relay.
The default settings are:

Address Space -Type: SMTP

Address: *

Cost: 1

The Connector Scope is Entire Organization.

Allow messages to be routed to these domains is cleared (not selected).

Please try my suggestions and let me know the result.

I am looking forward to hear from you.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: Can not stop junk e-mails send from our server
<thread-index: AcgTjaVUDUo1kILJQjOhX1AxcOqGPQ==
<X-WBNR-Posting-Host: 207.46.19.197
<From: =?Utf-8?B?Qm9nZGFu?= <Bogdan@xxxxxxxxxxxxxxxxxxxxxxxxx>
<Subject: Can not stop junk e-mails send from our server
<Date: Sat, 20 Oct 2007 19:54:06 -0700
<Lines: 10
<Message-ID: <33E4A037-1E43-4C16-8F80-0CD0C0413DD8@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2929
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:70596
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi,
<We did get a call from our ISp, that a lot of e-mails are being sent from
<our location. Then I di take a look at the C:\Program
<Files\Exchsrvr\Mailroot\vsi 1\Queue and C:\Program
<Files\Exchsrvr\Mailroot\vsi 1\UceArchive and I do see a lot of e-mails
<inside, if I do try to delete them, from the queue folder I can not. I
ran
<Innoculate with the latest signature, and it saus no problem
<
<Please advise as the ISp is going to shut down our service.
<
<

.

Loading