SUMMARY

In a Small Business Server environment, you may have to prevent your Microsoft Exchange Server-based server from being used as an open relay SMTP server for unsolicited commercial e-mail messages, or spam. You may also have to clean up the Exchange server's SMTP queues to delete the unsolicited commercial e-mail messages. If your Exchange server is being used as an open SMTP relay, you may experience one or more of the following symptoms:

• The Exchange server cannot deliver outbound SMTP mail to a growing list of e-mail domains.
• Internet browsing is slow from the server and from local area network (LAN) clients.
• Free disk space on the Exchange server in the location of the Exchange information store databases or the Exchange information store transaction logs is reduced more rapidly than you expect.
• The Microsoft Exchange information store databases spontaneously dismount. You may be able to manually mount the stores by using Exchange System Manager, but the stores may dismount on their own after they run for a short time. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  321825 Databases become dismounted because of lack of disk space

back to the top

Determine whether the Exchange Server is an open SMTP relay

Note All Exchange clients (Microsoft Outlook or other clients) must log off the Exchange server before you follow the steps in this section. Additionally, you must follow these steps from a remote client.

These steps involve establishing a Telnet session from a computer that is not located on the Small Business Server local network to the public IP address of the Small Business Server computer. If you are physically located at the Small Business Server computer, you can use a Terminal Services client to connect to a computer that is not on the local network and then use the Telnet tool from that remote station to connect to the appropriate IP address.

Note A webcast is available that demonstrates the steps for identifying an open SMTP relay. To view this webcast, click the following link:

From the remote client, follow these steps:

1. Click Start, click Run, type telnet, and then click OK.
2. At the Telnet command prompt, type set local_echo, and then press ENTER.
3. At the Telnet command prompt, type open sbs-IP-address 25, and then press ENTER (where sbs-IP-address is the external public IP address of the Small Business Server computer).
   
   The output is similar to the following:

   220 server.smallbusiness.local Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at "date" -0500

   Note The "Version" reference may vary, depending on the version of Small Business Server.
4. Type ehlo anydomain.com, and then press ENTER (where anydomain is not the Small Business Server computer's e-mail domain. Make sure that the last line is:

   250 OK

5. Type mail from:youremail@anydomain.com, and then press ENTER (where youremail@anydomain is an SMTP address that is not hosted on the Small Business Server computer). Make sure that the result is:

   250 2.1.0 youremail@anydomain.com....Sender OK

6. Type rcpt to:user@spam.com, and then press ENTER (where user@spam is not your e-mail domain). Make sure that the result is one of the following two responses:

   550 5.7.1 Unable to relay for user@spam.com
   
   -or-
   
   250 2.1.5 user@spam.com

7. If the result is "550 5.7.1 Unable to relay for user@spam.com," the Exchange server is not an open SMTP relay. If you previously configured Exchange Server to block open SMTP relaying and you want to clean up the Exchange server, go to the "Clean Up the Exchange Server's SMTP Queues" section of this article.
8. If the result is "250 2.1.5 user@spam.com," the Exchange server is an open SMTP relay. Go to the "Configure the Exchange Server to Block Open SMTP Relaying" section of this article.

back to the top

Determine whether an authenticated user is relaying

This section enables logging in the Windows Event Viewer such that any authentication attempts against the SMTP service (successful or failures) are logged in the application log.

1. Start Exchange Administrator.
2. Double-click Servers.
3. Under Servers, right-click ServerName, and then click Properties.
4. Click the Diagnostic Logging tab.
5. Click MSExchangeTransport on the left.
6. On the right, click SMTP Protocol.
7. Under Logging Level, click Maximum.
8. Click OK to close Server Properties.

If a remote user is authenticating against the Small Business Server computer as part of an operation to relay SMTP e-mail, you will see an event that is similar to the following in the application log: Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was company\username.

In this case, if the relaying appears to come from a hacked account password, go to the Active Directory Users and Computers snap-in and delete the account, disable the account, or change the password on the account.

Microsoft recommends that you implement a strong password policy. For additional information, visit the following Microsoft Web site:

If a remote user is authenticating against the Small Business Server as part of an operation to relay SMTP e-mail using the guest account, you will see an event that is similar to the following in the application log: Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:27:52 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was COMPANY\Guest.

In this case, the remote user is exploiting the guest account. Use the Active Directory Users and Computers snap-in to disable the guest account. Note It is not sufficient to change the password on the guest account. You must disable the guest account.

back to the top

Configure the Exchange Server to block open SMTP relaying

Note A webcast is available that demonstrates how to configure Exchange Server to block open SMTP relaying. To view this webcast, click the following link:

There are two Exchange Server components that permit SMTP relaying to be turned on or off:

• The Default SMTP Virtual Server
• The SMTP Connector

Additionally, if the server is running Microsoft Internet Security and Acceleration (ISA) Server 2000, the server may be an open relay if the following conditions are true:

• ISA Server is configured with a server publishing rule for the SMTP protocol.
• 127.0.0.1 is in the list of IP addresses that are allowed to relay in the properties of the default SMTP Virtual Server.

To check the properties on the Default SMTP Virtual Server, follow these steps:

1. Click Start, click All Programs, click Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand Servername, expand Protocols, and then expand SMTP.
   

If the server is an upgrade from Small Business Server 4.x, expand Administrative Groups, expand Servername, expand Servers, expand Servername, expand Protocols, expand SMTP.

1. Right-click Default SMTP Virtual Server and then click Properties.
2. Click the Access tab.
3. Click the Relay button at the bottom.
4. The default settings block open relay. The default settings are as follows:
   • Select Only the list below.
   • The Computers dialog box shows Access Granted to the Internal IP address of the Small Business Server network and to the external IP address (if the server has more than one network card.)
   • Make sure that Allow all computers which successfully authenticate to relay, regardless of the list above is selected.
5. Set the Default SMTP Virtual Server configuration for relaying as indicated, which restores its settings to their defaults.

To check the properties for the SmallBusiness SMTP Connector, follow these steps:

1. In the Exchange System Manager, expand Connectors, and then locate the SmallBusiness SMTP Connector.
   

If the server is an upgrade from Small Business Server 4.x, expand Administrative Groups, expand Servername, and then expand Connectors.

Note: The SmallBusiness SMTP Connector is created when you run the Small Business Server 2000 Internet Connection Wizard. If you have manually created an SMTP connector, it may not be named SmallBusiness SMTP connector. Also be aware that the SMTP connector is not required for external mail flow. The absence of a connector may not indicate a problem.

1. Right-click the SmallBusiness SMTP connector (or on the connector name that you manually created), and then click Properties.
2. Click the Address Space tab.
3. The default settings (when this connector is created by means of the Small Business Server 2000 Internet Connection Wizard) block open relay. The default settings are:
   • Address Space -Type: SMTP
   • Address: *
   • Cost: 1
   • The Connector Scope is Entire Organization.
   • Allow messages to be routed to these domains is cleared (not selected).
4. Configure the SMTP Connector as indicated to restore its settings to their default values.

To examine ISA Server configuration, follow these steps:

1. Open the ISA Management Console.
2. Expand Servers and Arrays, expand Computer name, expand Publishing, and then click Server Publishing Rules.
3. If you see Create Server Publishing Rules on the right side together with some text, you do not have any server publishing rules defined. You may go to the end of this section. If you do not see Create Server Publishing Rules, you will see a list of rules defined. Go to step 4.
4. View the Protocol column to see if SMTP Server is listed. SMTP Server is the name of the default protocol definition for TCP port 25 Inbound in ISA Server 2000. If this protocol definition exists, an SMTP server publishing rule has been added to ISA Server.
   
   Note Administrators can add a custom protocol definition by using a different name to define TCP port 25 Inbound. If you do not specifically see SMTP Server in the Protocol column, but see a protocol definition that defines TCP port 25 Inbound, it may also be an SMTP Server Publishing Rule.
5. To resolve this, disable or delete the SMTP Server Publishing Rule in ISA Server. To disable this rule, right-click the rule, and then click Disable. To delete this rule, right-click the rule, and then click Delete.
6. Run the Internet Connection Wizard in SBS 2000 or run the Configure E-mail and Internet Connection Wizard in Windows Small Business Server 2003 to configure ISA Server to enable SMTP Inbound. To run the Internet Connection Wizard in Small Business Server 2000, click Start, click Run, type icw, and then click OK.
   
   To run the Configure E-mail and Internet Connection Wizard in Windows Small Business Server 2003, follow these steps:
   1. Click Start, and then click Server Management to start the Configure E-mail and Internet Connection Wizard.
   2. In the left pane, expand To Do List. In the details pane, click Connect to Internet.
      
      Note The Internet Connection Wizard and the Configure E-mail and Internet Connection Wizard add a packet filter to ISA Server to enable SMTP incoming from the Internet. If you want to continue to use a server publishing rule for the SMTP protocol, make sure 127.0.0.1 is not in the allowed relay list in Exchange. If you run the Configure E-mail and Internet Connection Wizard in Windows Small Business Server 2003 and choose the option to configure Exchange, 127.0.0.1 will be added back. You must remember to remove the address every time that you run the Configure E-mail and Internet Connection Wizard and configure Exchange. This issue does not occur in SBS 2000.

After you follow the steps in this article to check the Default SMTP Virtual Server,the SmallBusiness SMTP Connector settings, and the ISA Server configuration, the Exchange server is configured to block open SMTP relaying. You must follow these steps again for the telnet procedure in the "Determining if the Exchange Server Is an Open SMTP Relay" section of this article to make sure that the Exchange server returns "550 5.7.1 Unable to relay for user@spam.com" when you try to send mail to a recipient who is not homed on the Exchange server. After you have verified that Small Business Server is not an open SMTP relay, go to the Clean Up the Exchange Server's SMTP Queues section of this article.

back to the top

Clean up the Exchange Server's SMTP queues

Warning During this process, ALL messages that are destined for external SMTP recipients are deleted. Internal e-mail and incoming e-mail from the Internet are not affected. The settings below are temporary and steps to undo these changes will be included later in this section.

Note A webcast is available that demonstrates how to clean up the Exchange Server's SMTP queues. To view this webcast, click the following link:

1. In Exchange System Manager, click SmallBusiness SMTP Connector under Connectors. This phase requires an SMTP connector. If the Exchange server does not have an SMTP connector, create one. To do this, follow these steps:
   1. Right-click Connectors, click New, and then click SMTP Connector.
   2. On the General tab, type a temporary name (Temp Connector, for example) in the Name box.
   3. Click Add at the bottom, select the server name and its associated SMTP Virtual Server, and then click OK.
   4. Click Address Space.
   5. Click Add, click SMTP, and then click OK.
   6. In the Internet Address Space Properties dialog box, leave the default settings (E-mail domain * and Cost 1), and then click OK.
   7. Click the General tab, and then go to step 4.
2. Right-click SmallBusiness SMTP Connector, and then click Properties. If you have more than one SMTP Connector, the one that you want to work with in the following steps is the one that contains the "*" (asterisk) for the SMTP address on the Address Space tab.
   
   
3. Click the General tab. Make a note of all the settings on this tab. You have to return these settings later in this article.
4. Click Forward all mail through this connector to the following smart hosts.
5. In the field provided, type a false IP address and enclose it in brackets. For example, type [99.99.99.99].
6. Click the Deliver Options tab .
7. Click Specify when messages are sent through this connector.
8. In the Connection Time list, click Run daily at 11:00 PM.
9. Click OK to close the SMTP Connector Properties dialog box.
10. Expand Servers, expand Servername, expand Protocols, expand SMTP. Right-click the Default SMTP Virtual Server, and then click Stop.
11. It may take several minutes for the SMTP Virtual Server to stop. After the Default SMTP Virtual Server has stopped, right-click the Default SMTP Virtual Server again, and then click Start. It may take several minutes for the Default SMTP Virtual Server to start.
12. After the Default SMTP Virtual Server has started, wait about 10 minutes.
    
    Now the Default SMTP Virtual Server can re-enumerate the messages and put them in a single queue for the SmallBusiness SMTP Connector or for the one that you named when you created it in step 1.b.
13. After about 10 minutes, expand Default SMTP Virtual Server, and then click Queues.
14. Note the total number of messages on the right next to the Small Business SMTP Connector.
    
    This number has to stabilize so that all the messages can be deleted at the same time.
15. Right-click Queues, and then click Refresh approximately every 15 minutes.
16. Repeat step 15 until the total number of messages remains constant.
17. Locate the queue for the SmallBusiness SMTP Connector. The queue is indicated by the small red clock on the yellow folder icon.
18. Depending on your version of Small Business Server installation, follow the appropriate section to delete the messages from the queues:
    • Small Business Server 2003: Right-click SmallBusiness SMTP Connector, and then click Find Messages. In the corresponding box, click the dropdown and select an appropriate number in Number of messages to be listed in the search. Click Find Now. In the results, select all the messages (SHIFT+PAGE DOWN). Right-click the selected messages, and then click Delete All Messages (No NDR).
    • Small Business Server 2000: Right-click SmallBusiness SMTP Connector, and then click Delete All Messages (No NDR).
19. Click Yes when you are prompted with the question of whether to delete messages in the selected queue. Deleting these message may take some time, depending on the number of messages in the queue.
20. After the messages are deleted, right-click Queues, and then click Refresh.
21. Note the total number of messages for the SmallBusiness SMTP Connector queue. The number is zero.
22. Wait approximately 5 minutes, and then refresh Queues again. The goal is to have the number of messages in the SmallBusiness SMTP Connector queue reach zero and stay at zero. If this number increases, the Exchange server is still processing messages for external delivery through the SmallBusiness SMTP Connector. Repeat this step until the number stabilizes again.
23. Repeat steps 19 through 23 until the number of messages in the SmallBusiness SMTP Connector queue is consistently zero. When it is, the Exchange server's SMTP queues have been purged of the unsolicited commercial e-mail.

After Exchange has been cleaned of the unsolicited commercial e-mail, you have to undo the changes that you made in steps 2 through 8. To undo the changes, follow these steps:

1. In Exchange System Manager, expand Connectors, right-click the SmallBusiness SMTP Connector, and then click Properties.
   

If you created a temporary SMTP connector in step 1, click Delete instead of Properties, and then go to step 7.

1. On the General tab, change these settings to those documented in step 3 under Clean Up the Exchange Server's SMTP Queues.
2. Click the Delivery Options tab.
3. Verify that Specify when messages are sent through this connector is selected.
4. In the Connection Time list, click Always Run.
5. Click OK.
6. Expand Servers, expand Servername, expand Protocols, and then expand SMTP. Right-click Default SMTP Virtual Server, and then click Stop.
7. After the SMTP Virtual Server has stopped, right-click Default SMTP Virtual Server again, and then click Start.

Now you have configured the Exchange server to block open SMTP relaying and you have removed the unsolicited commercial e-mail from Exchange Server's SMTP queues. The next step is to clean up the file system.

back to the top

Clean up the Exchange Server's file system

Note A webcast is available that demonstrates how to clean up the file system after relaying has occurred in Exchange Server. To view this webcast, click the following link:

Exchange Server tries to deliver e-mail based on the specific settings for the SMTP Virtual Server. After these delivery thresholds have been met, Exchange Server stops trying to deliver the e-mail and moves the messages out of the SMTP queues into a BadMail folder. This folder may take up a lot of space on the drive.

To remove these unnecessary files, follow these steps:

1. In Windows Explorer, locate the C:\Program Files\Exchsrvr\Mailroot\Vsi 1 folder. To do this, expand C:\Program Files in the left pane, expand Exchsrvr, expand MailRoot, and then expand Vsi 1.
   

Important Do not open the Badmail folder. Depending on how much spam the Small Business Server computer processes, this folder may contain several hundred thousand files. If you open this folder, the server may appear to have stopped responding.

1. On the File menu, point to New, and then click Folder.
2. Type BadMail2 for the name of the new folder.
3. Click Start, click Programs or All Programs, click Microsoft Exchange, and then click System Manager.
4. Expand Servers, expand Server name, expand Protocols, and then expand SMTP.
   

If administrative groups are displayed, expand Administrative Groups, expand Server name, expand Servers, expand Server name, expand Protocols, and then expand SMTP.

1. Right-click Default SMTP Virtual Server, and then click Properties.
2. Click the Messages tab.
3. In the Badmail directory box, change the name of the BadMail folder to BadMail2, and then click OK.
4. Permanently delete the BadMailOld folder. To do this, click the BadMailOld folder in Windows Explorer, press and hold down the SHIFT key, and then press DELETE.
5. Click Yes when you are prompted to confirm the deletion. Deleting this folder may take a long time, depending on the number of files in this folder.

back to the top

Defragment the Exchange server's drives

Because you have moved or deleted many files, you may want run Disk Defragmenter on the affected drive or drives.

back to the top

Remove the Exchange server from "black hole" lists

You may have to take the appropriate steps to remove your Exchange Server domain name or the Exchange server's external IP address from various "black hole" lists.
back to the top