Exchange 2003 sp2 and greylisting issue

A colleague of mine, Bill, had a problem he introduced to me that involves an anti-spam measure that some of his customers are using.  This measure is called “greylisting” and works due to the fact that SPAM’rs don’t always follow RFC’s except where it is to their benefit.  So in the pendulum of the SPAM war this offers the good side the opportunity to exploit this and so the “greylisting” measure was created.  Unfortunately this uncovered a bug in Exchange 2003 that messages were getting stuck in a queue not sent until an Exchange service restart which could be several months!

Exchange 2003 sp2 and greylisting…

Exchange 2003, you say? Who is still using that? 

Most people are.

I’ve done the research a couple of times now, so I wanted to write it down in one place. Of course, I decided to share it with you as well.

Exchange 2003 with service pack 2 has some interesting challenges when sending e-mail to another SMTP server when that “other” server implements greylisting.

Sidebar: Greylisting is an anti-spam measure. Most of the programs that actually transmit e-mail spam don’t fully follow SMTP protocols. If an unexpected SMTP protocol result is received, then they drop the SMTP connection and move on to the next one. A server that is using greylisting maintains a cache of the IP addresses of servers that have sent good e-mail. When a new server connects for the first time, the greylisting server sends a SMTP protocol message that says “I’m busy – come back in a little while” – with the expectation that the message will be retried with in a few minutes.

Most spam mailers will just drop the message.

Sometimes, Exchange will somehow seem to lose the message. Yep, lose it. It doesn’t show in any visible queue, it doesn’t generate an NDR, etc. etc. It just seems lost – until you restart the SMTP service (generally by rebooting the Exchange server for your monthly patch updates). Then, you may get a gazillion NDR’s suddenly generated from messages that were sent quite some time ago…and users start asking questions.

This can also happen with the default Windows SMTP service, after applying Windows Server 2003 service pack 2.

For Windows Server, there is a hotfix available:

On a Windows Server 2003-based SMTP gateway server, some messages may remain in the queue folder until the SMTP service is restarted
http://support.microsoft.com/default.aspx?scid=kb;EN-US;934709

For Exchange Server there is also a hotfix (thank to heads-up comment by Joe):

E-mail senders do not receive an indication that some messages have been held by Exchange Server 2003 until the SMTP service, the Microsoft Exchange Information Store service, or the Exchange server is restarted
http://support.microsoft.com/default.aspx?scid=kb;EN-US;950757

In addition to the above hotfix you may want to consider also to change a registry parameter known as GlitchRetrySeconds.

For a great explanation of GlitchRetrySeconds and what it does (as well as lots of other information about the SMTP queuing engine), see:

Explaining the Mysterious SMTP Advanced Queuing Engine
http://msexchangeteam.com/archive/2005/04/04/403297.aspx.

But all you really need to know is to increase the value. I personally like the value of three minutes (180 seconds). Other people prefer two minutes (120 seconds). The default value is one minute (60 seconds). Since messages are retried three time before they are actually “sent to the back of the line”, one minute can be too short (a typical greylisting delay is five minutes [300 seconds]).

The downside to setting GlitchRetrySeconds too high is that it can cause a high-volume SMTP server to not send as many messages. This is rarely a problem for most installations. But because of this, the Exchange Server Analyzer Tool will report on a non-standard value for GlitchRetrySeconds:

The SMTP GlitchRetrySeconds registry value has been manually set
http://technet.microsoft.com/en-us/library/aa996601.aspx

And finally, here is how and where you modify the value:

How to Configure Glitch Retry Interval in Exchange Server 2003
http://technet.microsoft.com/en-us/library/8b43be56-48e6-400b-8014-54c95f87d1de.aspx

Whenever I hunt for the above article, it always takes me a little while – because of the difference between “interval” and “seconds” in the article title and in the registry value. Ooops.

Exchange 2003 sp2 and greylisting… – Michael’s meanderings…

****also read this related  post on greylisting:  https://duitwithsbs.wordpress.com/2008/07/07/greylisting-for-exchange-2003-2007-too/

Advertisements

4 responses to “Exchange 2003 sp2 and greylisting issue

  1. I just had this issue. Microsoft said this is the Exchange hotfix: http://support.microsoft.com/default.aspx?scid=kb;EN-US;950757

    They pointed out the hotfix you mention is only for SMTP on non-Exchange boxes.

    Just an FYI on what I think is the latest proper patch for this. Your webpage was a big help BTW!

  2. We just ran into this problem today. Looks like the problem started when we upgraded to Exchange SP2 4 months back. Around 50 emails were sent out Saturday after the server restarted. Thanks for Blogging!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s