Depends what sort of attack it is.
Sounds like an NDR attack. Therefore the first thing you should do is turn off the option on the SMTP virtual server to receive a copy of NDRs. That is usually a waste of time anyway.
You haven't said which version of Exchange it is, if it is Exchange 2003 or higher you should enable recipient filtering.
If there are messages in the queues, then you will need to clean them up.
Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp
From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Dan Crain
Sent: 18 October 2007 17:21
Subject: [ExchangeList] Spam Attack
Woke up today to find my phone downloading 5000 system administrator messages so I naturally assumed spam attack.
Checked my isa logs to make sure it was coming from outside the company and sure enough they are from a range of ip addresses which appear to be 168.95.6.xxx and 168.95.4.xxx the whole range
Right now I've been deleting the emails by stopping the smtp queue and deleting the emails from the folder.
My question is, how do I stop this? This is the first time I've had this done to my server.
Any help would be great...thanks,
Daniel A. Crain
Dean, Ringers, Morgan & Lawton, P.A.
201 East Pine Street, Suite 1200
Orlando, FL 32801
NOTE: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, please notify Dan Crain at DanC@xxxxxxxxxxxx immediately by replying to the message and deleting it from your computer. Thank you.