Serious delays in external mail delivery(3-11 hrs) - Microsoft Exchange

Hi Pierre Darisse,

I would recommend checking out a few things that may assist with this issue.

1) 300K messages in your badmail folder is not a good idea. That can have a
serious negative impact on the performance of the SMTP service. I recommend
that you get this cleaned up as soon as possible. A simple del *.* from a
command line will clean it up in time with no down time needed.

867642 How to automatically delete messages from the Badmail folder in
Exchange Server 2003 and in Exchange 2000 Server
http://support.microsoft.com/default...b;EN-US;867642

2) I am assuming that you have an outbound SMTP mail connector? Make sure
that connector is scheduled to always run.

3) Otherwise you might be looking at an issue with slow DNS. Make sure that
the DNS servers your Exchange server are talking to are internal DNS servers
and that the server is able to talk to them in a timely manner.

4) Lastly I would strongly recommend running ExBPA from the following link:
http://www.microsoft.com/exchange/expba
This tool can help diagnose issues in your Exchange organization like this.

Hope this Helps,
--
Matthew Byrd
Microsoft PSS

Run Microsoft Exchange Server Best Practices ****yzer Today
http://www.microsoft.com/exchange/exbpa

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

This posting is provided "AS IS" with no warranties, and confers no rights.



<cnuke@videotron.ca> wrote in message
news:1138915007.211599.209960@g49g2000cwa.googlegroups.com...
> Hi all,
>
> There is a significant delay between the time i send external emails
> and the time that the recipient gets it. I know the delay is induced by
> my server because when the email arrives, looking at its header shows
> that our server has transmited a couple of hours after the send time.
>
> I looked around, trying to self help myself, but still cant find the
> problem. Here is what I found :
>
> -If I send multiple messages to the same recipient, they all come in at
> the same time
> -Tracking any message shows that the step that induces the delay is the
> categorizing step
> -Telneting the smtp port of my server, when I issue a "rcpt to"
> command, the answer is "unable to relay for a@b.com".
> -We just dropped one of our domain names to set it on another server
> and the problem seems to have started when this happened. The RPT for
> the domain pointed towards mail.oldsite.com. It has just been
> corrected and points toward mail.correctdomain.com but still didnt
> correct the delay.
> -queues count on the SMTP virtual server are numerous(about 500 queues
> with 1 or to messages). Tried to freeze every single one that was on
> retry status
> - the badmail folder content is like 300k files heavy. I read
> somewhere that renaming it to force exchange to create a new helped,
> but I'm wary of doing this, since there is no direct link between this
> and the fact that the domain removal seemed to induce the problem.
>
> anyone has any advice?
>
> Pierre Darisse
>

Hi Matthew,

Thanks for your reply. Since I wrote the original message, I've
progressed by leaps and bounds over the diagnosis of the particular
problem. What I am sure of is that all of the delay introduced in
sending the mail is caused by an abnormally high send queues count.
Last friday, I froze all the queues(about 800 of them) and the external
mails were getting around in no time. After that, i let it as is for
the weekend and the queues list built up to an astonishing 1400. Most
of these queues contains Non Delivery Responses(NDRs)

Furthering my research this morning, I understood that our server is
used as a spam relay in a Reverse NDR scheme. Basically, the aim of
this is to send a spam message to an unexisting address on our server,
forging the mail from address to the real destination of the spam. The
server then send a NDR back to the address in the mail from with the
spam message as an attachment. Actually, I estimate we get 3500 of
such NDRs each day

So, to ease the traffic, I shut down the sending of NDRs and this did
the trick, although it is a temporary solution, because we have to be
able to keep in touch with a potential client, whether by sending a NDR
telling this client the address is inexistant or by getting all the
mail to wrong addresses sent to someone who will sort em.

I tried to look around and found a couple of solution but they don't
seem to be applicable :
1) I could reject all mail that is not destined to an existing user,
but this requires Exchange server 2003
2) I could leave the NDR sending at off, transfering all unresolved
addresses to a specific account, but I doesn't seem to be possible in
exchange unless you do some arcane stuff and possess visual basic
3) I could reject all traffic from which the (PTR record) address is
different from the actual IP, but I fear I might cut some servers from
sending us mail

Also, to respond to your post :

1) As I originally told, I'm a bit fearful of deleting the content of
the badmail content... what does it contain? Will deleting it delete
messages in inboxes, outboxes, in transition(inbound or outbound)

2) The SMTP virtual server is set to always run

3) As per my test last friday, the DNS seems very efficient, since if I
freeze all queues, the messages will get out fast(less than a minute)

4)As for ExBPA, I will look into it this afternoon. But as I told you,
the problem is found and I now need to know what to do to resolve it in
a graceful manner

Your help is greatly appreciated

Pierre Darisse

Here is a couple of links that helped me diagnose the problem, hoping
it'll help future searchers

What is a Reverse NDR Attack :
http://www.cmsconnect.com/Praetor/We...DR_attacks.htm

first possible solution : reject all mail that are destined to an
unexisting user(Exchange 2003 only) :
http://support.microsoft.com/kb/886208/en-us

Second Solution, redirecting all unresolved email to a mailbox(need
visual basic to be done) :
<a href=http://support.microsoft.com/default.aspx?scid=kb;en-us;315631>

DNS, Reverse DNS(PTR), see if your domain is classified as spam :
http://www.dnsstuff.com

Hi Pierre Darisse,

Glad that you were able to determine what is happening. Having that many
messages come into your system and have to be processed out as NDRs with
100s of queues can indeed cause a performance issue.

Unfortunately the only solution that I can reasonably provide you would be
to upgrade to Exchange 2003 so that you can install/apply with Intelligent
Mail filter. This Spam filter would filter out most if not all of these
messages. Your other option is to install a 3rd party Spam filter to remove
these messages.

There is not really a way within the base configuration of Exchange to
prevent these types of "attacks" without breaking the functionality of SMTP.
This is not a limitation of Exchange so much as a limitation of the SMTP
protocol.

On your question about BadMail ... you can/need to remove these messages.
We do not put any messages in the badmail folder that we can process ...
thus the name BadMail. The only thing we put in that folder are messages
that we cannot do anything with. These message will NEVER be processed by
the system. Once we put the message in badmail we never look at it again
these are just trash files. The badmail folder was implemented as a
standard in the early days of SMPT when it was useful to keep track of the
messages that you could not do anything with so that you could go diagnose a
problem with out losing any mail. These days 99.9% of badmail is just
garbage messages that we can't do anything with ... NDRs to non-existent
domains, malformed messages etc.

Just to iterate again ... Deleting BadMail will have NO impact on mailflow,
or result in any data loss. Microsoft recommends keeping this folder
cleaned out per the KB that was in my previous post.

Hope This Helps,
--
Matthew Byrd
Microsoft PSS

Run Microsoft Exchange Server Best Practices ****yzer Today
http://www.microsoft.com/exchange/exbpa

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

This posting is provided "AS IS" with no warranties, and confers no rights.

<cnuke@videotron.ca> wrote in message
news:1139252810.077172.208310@f14g2000cwb.googlegroups.com...
> Hi Matthew,
>
> Thanks for your reply. Since I wrote the original message, I've
> progressed by leaps and bounds over the diagnosis of the particular
> problem. What I am sure of is that all of the delay introduced in
> sending the mail is caused by an abnormally high send queues count.
> Last friday, I froze all the queues(about 800 of them) and the external
> mails were getting around in no time. After that, i let it as is for
> the weekend and the queues list built up to an astonishing 1400. Most
> of these queues contains Non Delivery Responses(NDRs)
>
> Furthering my research this morning, I understood that our server is
> used as a spam relay in a Reverse NDR scheme. Basically, the aim of
> this is to send a spam message to an unexisting address on our server,
> forging the mail from address to the real destination of the spam. The
> server then send a NDR back to the address in the mail from with the
> spam message as an attachment. Actually, I estimate we get 3500 of
> such NDRs each day
>
> So, to ease the traffic, I shut down the sending of NDRs and this did
> the trick, although it is a temporary solution, because we have to be
> able to keep in touch with a potential client, whether by sending a NDR
> telling this client the address is inexistant or by getting all the
> mail to wrong addresses sent to someone who will sort em.
>
> I tried to look around and found a couple of solution but they don't
> seem to be applicable :
> 1) I could reject all mail that is not destined to an existing user,
> but this requires Exchange server 2003
> 2) I could leave the NDR sending at off, transfering all unresolved
> addresses to a specific account, but I doesn't seem to be possible in
> exchange unless you do some arcane stuff and possess visual basic
> 3) I could reject all traffic from which the (PTR record) address is
> different from the actual IP, but I fear I might cut some servers from
> sending us mail
>
> Also, to respond to your post :
>
> 1) As I originally told, I'm a bit fearful of deleting the content of
> the badmail content... what does it contain? Will deleting it delete
> messages in inboxes, outboxes, in transition(inbound or outbound)
>
> 2) The SMTP virtual server is set to always run
>
> 3) As per my test last friday, the DNS seems very efficient, since if I
> freeze all queues, the messages will get out fast(less than a minute)
>
> 4)As for ExBPA, I will look into it this afternoon. But as I told you,
> the problem is found and I now need to know what to do to resolve it in
> a graceful manner
>
> Your help is greatly appreciated
>
> Pierre Darisse
>