Help my Exchange 2013 server is sending out thousands of spam mails!

Hi all,

today i noticed that my Exchange server was using 100% cpu and memory.I noticed that edgetransport service was using all the resource.

Then i opened queue viewer and saw thousands of mails in the queue.Then then get the annoying message that it cannot show more than 1000 messages.I click ok and stop the refreshing.I could mark all e-mails and choose suspend,but after that it starts to refresh and same annoying message keeps popup (cant display more than 1000 messages)

So i have blocked all incoming port 25 on my TMG and also blocked all trafic out from the mail server.

I than ran the following command on My exchange server : Remove-Message -Server mail01 -filter {status -eq "suspended"} -WithNDR $false

Doesnt seem it helped,since there are still over 1k messages in the queue!

I deleted the queue folder under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\ and it re-created new folder.Still all queue arent removed.

How can i remove all messages in the queue viewer?

I also find it strange why outsiders manage to relay on my server,since i only set allow for couple of internal servers?

Scanned those and no virus there (i dont use those servers to download anything)

any advice p

April 28th, 2015 5:37pm

You might have an open relay.  Check the configuration of your receive connectors.

You might have one or more users that have malware that's sending spam.  Looking at the details of the items in the queues might give you clues.

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 5:54pm

thanks for reply.

but how can i remove the queue?Messages just contain user with email of numbers and ending with .ru as domain,so only thing i learn from here is that they are spamming my server.

Question is,how do i remove the queue?

April 28th, 2015 6:10pm

I'm not experienced with these cmdlets but it looks like you can enter Get-Queue to get a list of queues, and when you find the identity of the one you want to delete, enter:

Get-Queue -Identity "Queue_ID" | Remove-Message -WithNDR:$False -Confirm:$False
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 6:17pm
Sorry, it looks like I replied in the wrong place.  Look up...
April 28th, 2015 6:18pm

Would take me to much time to remove one ID by one,since i had over 3k in the queue.

Ended up with the following command:

Remove-Message -Filter {FromAddress -like "*@*"} -WithNDR $false

Remove-Message -Filter {FromAddress -like "*<>*"} -WithNDR $false

First will remove all messages that contains @ 

Second will remove all messages that contains <> (seems like lots had this in fromaddress)

Then finally all gone and cpu and mem back to normal.

Now have to find a way to block all IPs from China and Russia on my TMG!

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 7:33pm
The command I gave you should have removed all of them in the particular queue, which is what you asked for.  I fear that your command might have deleted valid
April 28th, 2015 7:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics