RE: SPAM!!! Just shut down Exchange 2000 Services

  • From: "Simon Butler" <simon@xxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 1 Nov 2005 21:59:36 -0000

Sounds like you are under an NDR attack.
This is where email is sent to your server with an invalid email address
on purpose. Your server then attempts to bounce the email to the sender
- except the sender is spoofed and is the real target of the spam. 

To clean up the queues look at my web site here:

I believe that in GFI Mail Essentials there is a feature for LDAP
lookups. This is where GFI checks the user is valid and only allows
message delivery if it is. Enabling this feature stops an NDR attack
Exchange 2003 has this feature built in. 

Retry time for 2 days is usual. Anything shorter than that could mean
email is bounced back because the remote site is just having short term


Simon Butler
MCP, MCSA, MVP:Exchange
Amset IT Solutions Ltd.

e: simon@xxxxxxxxxxxx

-----Original Message-----
From: Scott Clarke [mailto:scott.clarke@xxxxxxxxxxxx] 
Sent: 01 November 2005 21:45
To: [ExchangeList]
Subject: [exchangelist] SPAM!!! Just shut down Exchange 2000 Services

Hi all,

Please help.  We are getting a HUGE amount of spam.  I suspect this shut
down our Exchange services.  I have noticed a lot of messages from
postmaster@xxxxxxxxxxxx in the Queues folder...and I mean a lot.  As a
result our outbound email was slow getting to its destination.  I have
deleted the postmaster messages to the fictional/spoofed domains and
outbound email is now fine.

I have also noticed that the Queue is set to retry for 3 days...WOW this
is crazy...what are your recommendations, 12 hours? 24 hour?  The people
that set this up must have kept the defaults.  We run GFI v11 to block it is catching a lot of it but not all.

This issue shut down all exchange services and I had to reboot and get
of the messages in the queues.


List Archives:
Exchange Newsletters: 
Visit for more information about our other sites:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: