Had a client that was subjected to an open relay attack. In mere hours their Exchange 2007 was filled with not less than 100,000 outbound emails, indicating this server is a possible open relay. I though, i should try out the GUI to start cleaning junk emails, so i loaded the Exchange Management Console, went to tools and checked out the queues in Queue Viewer. True enough, there was emails not destined to our internal mail client again suggesting a security problem.
Due to these overwhelming SMTP connections, it comes as no surprise that the processor on this 64bit OS box went on overtime. The Exchange SMTP runs on an Image called EdgeTransport.exe and this piece went over 50% of processor time most of the time. It even reached 99% at some points when im not looking 🙂
Anyway, fact is, using EMC’s GUI will take hours! to clean up e.g. 100,000 emails (and counting). So i decided to hit the kitchen sink with the SMTP queues in Exchange by deleting the them through Explorer.
In essence, to completely wipe out the queues in Exchange 07 perform the following;
- Stop Exchange Transport
- Browse to the folder where mail.que is stored (our server was in mail.que at c:program filesMicrosoftExchange ServerTransportRolesdataQueue)
- Delete or move everything there
- Start the Exchange Transport
- Open up Queue Viewer, and verify that every thing’s cleared..Exchange has now recreated mail.que and associated files like in the beginning of time..:P
Image above: The physical path of the mail queue which also could be found by looking for the file mail.que like above. Since the mail queues are ESE, simply removing the mail.que file may not work (just like removing the edb/stm file without removing the related transaction logs)
Now, more importantly, close that relay! and enjoy Exchange 2007. PS. I do not warrant against klutziness and failure to backup/test backups. I don’t even think MS approves of such vicious method, but it worked like a charm and i swooped 1GB of smtp spam in 2 minutes 😀