How to troubleshoot non-delivery reports in the Exchange Queue

Your Exchange Server mail queue contains all outgoing email messages that are intended for delivery outside of your server. All messages are held as files in a directory as configured by administrators. Unfortunately, sometimes the email directory shuts down and fails to release those email messages. When this happens, email messages may appear as unsolicited commercial email (UCE) to external destination servers; these UCE may even being identified as spam email messages.

The server may often slow down and appear unresponsive. Running the Task Manager and checking for runaway processes will usually reveal that the Store.exe and Inetinfo.exe processes are consuming large amounts of CPU and memory. An administrator can stop the Simple Mail Transfer Protocol (SMTP) service which will result in the Store.exe and Inetinfo.exe processes to free up CPU and memory.

It is possible that your server is being targeted by hackers and is receiving non-delivery reports or NDRs. If this is the case then your system or organization is the victim of a reverse non-delivery report (NDR) attack.

This problem can be solved by configuring a recipient filter that will prevent those messages from being accepted. The recipient filter will prevent your Exchange Server from accepting messages intended for non-existent email recipients. But first an administrator should determine whether the messages in the queue are NDR messages. An administrator can use the following steps to decide if they are the target of a reverse NDR attack.

  1. Start the Exchange System Manager.
  2. Expand Servers.
  3. Expand your Exchange server.
  4. Click Queues.
  5. In the right pane, click a queue that contains a large amount of messages.
  6. Click Find messages, and then click Find Now.
  7. Review the Sender field of the returned messages. The message is an NDR message if the sender of the message is postmaster name@name of your e-mail domain.com.
  8. Double-click the message to display the external recipient of the message.

Steps 5 through 8 can be used to review the messages in other Simple Mail Transport Protocol (SMTP) queues. If most of the messages are from postmaster name@name of your e-mail domain.com, your system is most likely the target of a reverse NDR attack. If most of these messages are not from postmaster name@name of your e-mail domain.com, then your system is most likely setup as an SMTP open relay; it is also possible that your system is the target of an authenticated relay attack.

The Recipient Filter agent can be enabled on Exchange Server 2010 systems and functions as an anti-spam agent. Note that the Edge Transport server role should also be configured. Using the RCPT to SMTP header information of an inbound message, the recipient filter can take different courses of action. Messages can be filtered as they accumulate on the server.

Based on the characteristics of the recipients – as indicated in the RCPT TO header – one of the following actions can be taken:

  • The Edge Transport server can send a “550 5.1.1 User unknown” SMTP session error to the sending server if the inbound message contains a recipient that is on the Recipient Block list.
  • The Edge Transport server sends a “550 5.1.1 User unknown” SMTP session error to the sending server if the inbound message contains a recipient that doesn’t match any recipients in Recipient Lookup.
  • The Edge Transport server sends a “250 2.1.5 Recipient OK” SMTP response to the sending server, and the message is processed by the next anti-spam agent in the chain process, if the recipient isn’t on the Recipient Block list and the recipient is in Recipient Lookup.

Another possible symptom of an unresponsive email queue is that the disk drive containing the BadMail folder has run out of space. Administrators can check the BadMail folder, located in the “C:Program FilesExchsrvrMailrootvsi 1″ directory, for current disk space usage.

Administrators should also try clearing the contents of the Exchange queue by deleting the email messages from the queue directory. The email system console tool can be used to perform this action with the following steps:

  1. Click “Start”.
  2. Select “All Programs”.
  3. Click “Microsoft Exchange”.
  4. Click “System Manager” to open the mail manager for Exchange Server.
  5. Double-click “Servers”.
  6. Click “Queues”. This will show the email messages queued in the email server directories.
  7. Select the queue you wish to edit.
  8. Click “Freeze” button. This will prevent email messages from being sent.
  9. Highlight the messages in the queue you wish to delete.
  10. Right-click the highlighted email messages and then click on “Delete (no NDR).” Email messages will be deleted and delivery reports will not be sent.
  11. Click “Yes” to confirm you wish to delete the messages.

Note that this process may take a short while for the messages to be cleared from the disk drive.

Leave a Comment