It doesn't appear that we are an open relay. I also configured GFI 11 to "Delete" messages that are sent by doing Directory Harvesting as opposed to just tagging it and I have seen a major decrease in the amount of postmaster NDR messages. Scott -----Original Message----- From: Simon Butler [mailto:simon@xxxxxxxxxxxx] Sent: Tuesday, November 01, 2005 6:30 PM To: [ExchangeList] Subject: [exchangelist] RE: SPAM!!! Just shut down Exchange 2000 Services http://www.MSExchange.org/ Sounds like you are under an NDR attack. This is where email is sent to your server with an invalid email address on purpose. Your server then attempts to bounce the email to the sender - except the sender is spoofed and is the real target of the spam. To clean up the queues look at my web site here: http://www.amset.info/exchange/spam-cleanup.asp I believe that in GFI Mail Essentials there is a feature for LDAP lookups. This is where GFI checks the user is valid and only allows message delivery if it is. Enabling this feature stops an NDR attack immediately. Exchange 2003 has this feature built in. Retry time for 2 days is usual. Anything shorter than that could mean email is bounced back because the remote site is just having short term issues. Simon. -- Simon Butler MCP, MCSA, MVP:Exchange Amset IT Solutions Ltd. e: simon@xxxxxxxxxxxx w: www.amset-it.com w: www.amset.info -----Original Message----- From: Scott Clarke [mailto:scott.clarke@xxxxxxxxxxxx] Sent: 01 November 2005 21:45 To: [ExchangeList] Subject: [exchangelist] SPAM!!! Just shut down Exchange 2000 Services http://www.MSExchange.org/ Hi all, Please help. We are getting a HUGE amount of spam. I suspect this shut down our Exchange services. I have noticed a lot of messages from postmaster@xxxxxxxxxxxx in the Queues folder...and I mean a lot. As a result our outbound email was slow getting to its destination. I have deleted the postmaster messages to the fictional/spoofed domains and outbound email is now fine. I have also noticed that the Queue is set to retry for 3 days...WOW this is crazy...what are your recommendations, 12 hours? 24 hour? The people that set this up must have kept the defaults. We run GFI v11 to block spam...so it is catching a lot of it but not all. This issue shut down all exchange services and I had to reboot and get rid of the messages in the queues. Help! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: exchange-list3@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: scott.clarke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx