The first thing to do would be to stop your SMTP service by going to the command prompt and running the following command:
Net stop smtpsvc
It might take a while but don’t worry about it. Next, you need to locate the Exchange SMTP queue directories, typically located at “c:\program files\exchsrvr\mailroot\vsi 1”. Use the command prompt to change to this directory and delete all files under the “badmail” and “queue” directories. You might lose one or two valid mails but in case of an attack you might have to.
Now go to Exchange System Manager, and locate the SMTP virtual server and view its property pages Relay options.
The following setting ensures that you server is not open to any relay, neither from inside nor from the outside. It will also disable SMTP authentication so if you have POP3/SMTP clients they will have to use a different outgoing SMTP server.
Disabling notifications to the sender is also useful in this scenario so that your SMTP queue is not jammed with non-delivery messages.
Remember to check this option again once the attack is over.
Once this is done you can start the SMTP service using the following command:
Net start smtpsvc
Having started the SMTP service, check to see whether the Queues are filling up again.
Now, you might well know that this is important. You should check whether your anti-virus is up to date on all servers and workstations. You can also run a check of one of the following online free virus checkers:
Blacklists and Remote Attacks
Now, your server might still be under an attack and blacklisted.
The smart thing to do would be to call your ISP and ask them to change the MX record IP address for your mail server, which is the ISP DNS entry that tells mail servers how to locate your mail server. It is usually faster than contacting RBL websites and asking them to remove your server from the list. It will also thwart remote attacks on your server. Most ISPs will do this for you for free.
It might take about 24 hours or so for the DNS change to propagate around the world but it is a sure way to solve these problems.
Alternatively you can find out where your server is blacklisted and try to remove it. To do this enter the following link, adding your server’s external IP address, for example
It will show you where your server is blacklisted and links to websites where you can get instruction for being removed.
E-mail attacks both internal and external are not easy to fight due to the nature of the SMTP protocol, but if you know how to protect your server and block attacks they can be thwarted without resulting to drastic or costly measure.