Clearing down Queues on Exchange 2010 – SPAM attack

 In MS Exchange 2010

Hi All


I had an issue this weekend where I realised one of the Exchange mail servers, I manage, was getting used as an “Open Relay”. My fault entirely for not understanding how to secure the “receive connectors” properly. Anyway I deleted the SMTP receive connector, which accepted external connections. I’ll deal with the resolution of creating a secure external receive connector, in a different post.

I therefore had about 100,000 emails in the queue which needed removing. You can use the EMC to manage your Queues but it is limited.


Go into your EMC, Click on the bottom link, on the left hand side – “Toolbox”. Once this has opened click on “Queue Viewer”


Using the Queue Viewer takes a long time to delete emails as they only show 1000 at a time and it’s very time consuming, especially if the emails are contained in different queues.

Therefore I opted to try and work out the use of the SHELL script option. RemoveMessage

The syntax for this command is this

Remove-Message -Identity <MessageIdentity> [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [-WithNDR <$true | $false>]


Remove-Message -Filter <String> [-Confirm [<SwitchParameter>]] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]] [-WithNDR <$true | $false>]

and is detailed here

I’ll give you a few examples which I used

Remove-Message -Server mailserver1 -Filter {FromAddress -eq “”} WithNDR $false

This removes all messages that has the from address “” and doesn’t send a Non Delivery Response. I tried playing with using wildcards, i.e * . The system accepted it, but didn’t seem to clear the emails in question.

The one that DID totally work for me was this

Remove-Message -Server mailserver1 -Filter {MessageSourceName -eq “SMTP:RelayConnector”} WithNDR $false

ALL my spam queues were trying to use my SMTP connector which was labelled RelayConnector. I could see this in the Queue Viewer. Running this command removed all messages from the queue, with no NDR, where they were using the “SMTP:RelayConnector”. 5 mins later all 100,000 emailes were gone.

Now to fix that damn RelayConnector, which I need so that one external user can use this SMTP server to send mail.

Hope this helps



Recommended Posts

Leave a Comment

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search