No announcement yet.

SMTP Events and Message Queue Issues

  • Filter
  • Time
  • Show
Clear All
new posts

  • SMTP Events and Message Queue Issues

    While I was investigating my phantom hard drive space issues. I decided to turn on the monitor for SMTP and after I did a started getting frequent MSExchangeTransport, Event ID 7004 entries in my application log. Well over 100 entries over a 4 hour time frame. The event explanation points to a connectivity issue, but we haven't had any.

    On a possibly related note, I checked the message queue, and there are about 300 messages listed. The domains appear to be for junk/spam mail - several listings for the same domain name with different extentions (,, etc.

    I have non-authenticated relaying turned off. Should I not allow any relaying at all? Under SMTP access settings I have allow Anonymous, Basic Auth and Integrated Windows.

    Is there anything else I need to look for or reconfigure?

    Exchange 03 on Server 03, behind a firewall with port 25 and 443 (for OWA) pointing to this machine. No POP3 or IMAP access is used.

  • #2
    Re: SMTP Events and Message Queue Issues

    Use the next 2 links for best security configuration in order to fight spam:
    (the most importent change in my opinion regarding to the secoond link, is the "Recipient Filtering" - "Filter recipients who are not in the Directory").
    CNE 5, CCA, MCSE NT4.0-2003, MCSE 2003 messaging, Exchange Server MVP.
    Tzahi Kolber - IT Supervisor
    Polycom Israel.


    • #3
      Re: SMTP Events and Message Queue Issues

      If you have lots of messages in your queues to odd domains, then your server is being abused.
      With Exchange 2003 servers there are two main problems - NDR spam and authenticated relaying.

      NDR spam is where email is sent to your server with invalid users on purpose. The server then bounces the message back to the "sender" - the sender is spoofed and is the real target.
      That is stopped by recipient filtering, but to protect your server you also need to enable the tar pit. If you are on Windows 2000/Exchange 2003, then don't enable recipient filtering as that exposes your server to a directory harvest attack. You would need to use a third party tool to protect the server.

      The second issue is authenticated relaying. If you cannot find the signs of NDR spam then it is probably authenticated relaying.
      Authentication relaying is enabled by default, but if you do not have any POP3 clients then it doesn't need to be.
      You also need to change your administrator password. That is the account that will have been compromised.

      I have more on the clean up, including the identification of the attack here:;

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.