Microsoft Exchange 2005 has a # of features to make it easier to deal with spam (unsolicited email) with Intelligent Message Filtering. However dealing with an email denial of service attack is a slightly different story. A well constructed attack will probably be from someone who knows your company...and if they're smart, it won't be a spam-like message that would kick off the spam protection...but will look like an ordinary/legitimate email (albiet sent several hundred thousand times). You would think that Exchange would have something that built into it that would detect this. However Intelligent Message filtering has a large limitation in this regard...it only looks at single messages, and doesn't do any comparison across messages.
So what do you do when someone launches a DOS (denial of service) attack against you via email? It would be nice if Exchange could notify you of this...but it has no such feature. So the first time you'll find out about it, is that a user will complain that they have several hundred thousands more emails in their box than the expected. What do you do? Okay, first, take a deep breath. Then go to the headers of the emails and find the originating server. Cross your fingers and hope that they are all the same. If they are you have a simple DOS attack (a single server). You can block that IP in Exchange in "connection filtering", "global accept and deny list configuration". Click "deny" and type in that IP. Then cleanup the mess in the queues as described below.
If you have mulitiple IPs, you've got a tricker situation to deal with. Now you're under a DDOS (Distributed Denail of Service Attack). If there's only a few, then use the same technique as above (and then cleanup the mess in the queues as described below). But if the attacker is really tricky and you've got thousands, or if they constantly change...even this technique won't work. If that happens, you can't block it yourself. You need to contact your ISP becuase most ISPs have software that can stop a DDOS.
Cleaning up the mess in the queues
-----------------------------------
Now that the perimeter is secure, it's time to take out the garbage. Between the time the attack started, and you were able to cut it off, several hundred thousand or millions of email may be in the Exchange queues. They will slow your legitimate email to a crawl (not to mention potentially crash your server if you're low on disk space). So you need to deal with this problem promptly as well.
Again, there is nothing built into Exchange to help you. If you use the built in queue viewer, it will be completely overloaded and will either crash, or take hours to load 100 messages. At that rate it could take months or years to delete them all. You probably don't have that long to wait.
So instead, download this life saving tool from Microsoft called AQADMCLI.exe.
ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/
This bad boy will delete queue messages that meet a certain specification. For example, running:
delmsg flags=sender,sender=hackeremail@lameaddress.com
will delete all messages send from the email hackeremail@lameaddress.com. There are a ton of other flgs, so you can key on sender, receipient, etc.
When you run this, the first thing you'll notice is that it appears to do nothing. In actuality, it's running and just doesn't show any output until it's completely done with each queue. If you have a few hundred thousand emails, that will take time. So take a quick coffee break and come back. When you do, your queues should be back under control.
One caveat...this tool does not seem to work on the "message pending submission" queue. If you've been attacked, and have an autoresponder on the email address (a favorite target for hackers) you will most likely have several hundred thousand emails in this queue as well. What do you do?
1) The messages are stored in a physical folder. for example: c:\program files\MyExchsrvr\mailroot\vsi 1\queue. Make note of that folder.
2) Stop all exchange services (including your antivirus, gfi mail essentials if you run it,etc.)
3) Rename that folder to something else (you can't do this unless ALL services are stopped...so if something interferes, you missed something). Example: "queue_old".
4) Restart all services. Your queue is no longer backed up...because the messages are no longer in it.
5) Now you have to salvage the good messages from the garbage ones. Do a windows search on the .eml files and delete the bad ones, or move the good ones into a seperate folder. (Yes it takes a while...but it's faster than doing nothing and hoping the queues eventually clear out on their own).
6) When you have the good ones, copy them to the \pickup folder. They will be requeued.
I hope this helps you out.
Ian Ippolito