Exchange 2003 - Clear SMTP queues after an NDR attack / Open relay

Exchange 2003 - Clear SMTP queues after an NDR attack / Open relay

- stop SMTP service
- navigate to queue directory (by default, C:\\PROGRAM
FILES\\EXCHSRVR\\MAILROOT\\VSI 1\\QUEUES)
- back up 1 directory, right click directory QUEUES
- Search directory using the MS SEARCH TOOL for files containing text
\"Recipient Failed\"
- Deleted all files that were found

While stopping the SMTP service and deleting ALL messages in the queue
directory would certainly clear up this issue, it would also delete
any messages that were frozen in the queue (both inbound and outbound)
that were considered GOOD messages. This method identifies only
messages that are NDR replies, which usually is the result of a
reverse-NDR attack.