Dealing with Badmail

Those of you running Exchange 2000 will probably know of the existence of the Badmail folder, which is typically found in the \Program Files\exchsrvr\Mailroot\VSI 1\BadMail folder.

The Badmail folder contains messages that cannot be delivered into your organisation, and also cannot be returned back to the sender. Therefore, the folder typically contains spam, and the files within the folder can usually just be deleted.

However, Exchange doesn't provide a setting to periodically empty the contents of the folder. The danger is that this folder will go un-monitored, and will continue to fill up.

To combat this problem, two different scripts are available here.

First, I've written a script that simply sends a notification message to selected mailboxes, informing the recipients of the number of files in the Badmail folder, along with how much space the files are taking up. Simply schedule the script to run on, say, a weekly basis using the Windows Scheduler. Now you get a weekly reminder to empty the Badmail folder, if it does actually need emptying. You can download this script here. Just make the modifications shown in the script to reflect the settings in your environment.

The beauty of this script is that it doesn't need a mailbox to send the notification message; it just uses the SMTP virtual server. Just make sure the sending address has a valid internal domain name - the remainder of the address can be fictitious.

Call me paranoid, but I don't like scripts that automatically purge files in a folder. But there's a different script available written by Jon Pervan, who has kindly allowed the script to be made available here. This script will automatically purge the contents of the BadMail folder - no questions asked!

As always, you run these scripts at your own risk - be sure to test them in a non-production environment first.

Neil Hobson

(Update - Microsoft have released their own script to assist with the management of Badmail

Chris Meirick on July 25, 2003 at 12:50 AM in Useful Info
« Useful DNS Sites... | Main | Choosing your SMTP address »

Comments

hi chris
I'd like to have your script - but I need the one that cleans it regulary...

cu, martin
mailto:m@paierl.ch

Posted by: martin paierl at Sep 3, 2003 1:21:03 PM

OK

Posted by: Paolo at Oct 7, 2003 9:45:37 AM

Very useful, thanks

Posted by: Mike Orton at Nov 27, 2003 2:58:56 AM

hi
i'm using sbs 2003, and got a spam mail. \program files\exchsrvr\mailroot\vsi 1\badmail folder is more than full. i cannot delete all files with e.g. del. or deleting hole dir. has anybody an idea how to work .. ?

Posted by: bernd at Jan 11, 2004 9:49:55 AM

Hi Bernd,

I would suggest either...

Running a batch file or script to clear the folder down... or creating a new Badmail directory...

There’s a script in Neil’s post above, and batch file details can be found here…
http://lyris.sunbelt-software.com/read/messages?id=402502#402502

...which also contains the steps required to recreate the directory...

Important DO NOT OPEN THE BadMail FOLDER. Depending on how much spam the
Small Business Server 2000 computer processes, this folder may contain
several hundred thousand files. If you open this folder, the server may
appear to have stopped responding.
2.. Right-click the BadMail folder, click Rename, and then change the name
to BadMailOld.
3.. In the VSI 1 folder, create a new folder that is named BadMail.
4.. Permanently delete the BadMailOld folder. To do this, click the
BadMailOld folder, hold down the SHIFT key, and then press DELETE.
5.. Click Yes when you are prompted with the question of whether you want
to delete the BadMailOld folder. Deleting this folder may take a long time,
depending on the number of files in this folder

Posted by: Chris Meirick at Jan 12, 2004 5:47:25 AM

You are paranoid! If it's badmail, its probably SPAM!

Posted by: James at Jan 13, 2004 2:24:39 PM

Eh?... of course it's probably spam... what's paranoia got to do with it!?

If you're referring to the 'do not open the Badmail folder'... that's for situations when there are a considerable number of items (000's) in the directory and management of it becomes somewhat difficult!

Posted by: Chris Meirick at Jan 13, 2004 2:59:37 PM

Just got slammed with over 5,000 messages in my SMTP queue. My Exchange 2003 server has been hacked but how? I have implemented all the standard anti relay settings?

I also cannot deleted these queued messages like I could in Exchange 2000?

Suggestions?

Posted by: bill at Jan 14, 2004 1:44:05 PM

SMTP AUTH attack perhaps?

http://www.winnetmag.com/Article/ArticleID/40507/40507.html

Posted by: Jim Ross at Jan 14, 2004 4:00:50 PM

Thank you, thank you, thank you!! My server's C: drive was full and I couldn't figure out why. I used your script and freed-up almost 2 GB!! THANK YOU!!! You are a life saver.

Posted by: Niko at Jan 27, 2004 12:45:03 PM

Thanks for the script.

Question: Sorry in advance if this is not the appropriate post location.

I am seeing alot of the following warnings from my antivirus software. I do not have an email account setup for "postmaster" Which i understand could be spoofed. Please exlain.

Sender of the infected attachment: postmaster@fisd.org Recipient of the infected attachment: EXCHANGE, First Storage Group\Mailbox Store (EXCHANGE), SMTP (EXCHANGE-{8DA0A3A7-DFAD-4474-86F5-C5AB7DF667C4})/NON_IPM_SUBTREE/TempTable%231/%233
Subject of the message:
One or more attachments were deleted.
Attachment data.zip was Deleted for the following reasons:
Virus W32.Novarg.A@mm was found.
Virus W32.Novarg.A@mm was found in data.pif.


Thanks,Carl

Posted by: Carl at Jan 30, 2004 12:37:49 PM

can you tell me how to run the at command for your script, do you have an example for me?
sorry to be such a newbie.

dan

Posted by: dan crandell at Feb 3, 2004 6:49:28 AM

Hi Dan,

There's details of the various at.exe switches in these articles... and they can of course also be found by running 'at /?' from a command prompt.

Just ignore any references to scheduling backup jobs, substituting your batch file/script instead.

http://www.robvanderwoude.com/ntat.html

http://support.microsoft.com/default.aspx?scid=kb;en-us;313289&sd=tech

http://support.microsoft.com/?kbid=281701

Posted by: Chris Meirick at Feb 3, 2004 3:19:57 PM

What if you leave the location of the badmail folder blank in SMTP properties.

Will that just auto delete all the "bad" emails?

Posted by: Sejin Myong at Feb 23, 2004 2:01:49 PM

MS needs a /dev/null

Posted by: aard at Feb 27, 2004 1:53:04 PM

What is /dev/null ?
Does that mean you cannot just leave the badmail path empty?

Posted by: DLC at Mar 4, 2004 5:39:04 AM

I run Exchange 2000 (SP3), and I redirected the BadMail to another partition (logs only partition), so as not to clog up the system one. I check the badmail folder every week and remove the files as needed, which is all fine and good, but my question is, in the windows event log, every so often, there are "errors" stating that some message cannot be resent as they have been deleted, which seems to indicate Exchange is not very happy with some deleted messages. Does this have anything to do with the badmail folder? Or is this totally unrelated?

Posted by: etai at Mar 8, 2004 6:26:52 PM

Hi these articles was usefull and i have controlled my badmail folder also by setting up in the securites options of that folder and set all the built in users to read only mode, from then i dont see any mail entry into bad mail folder. But i get lots of mails to queue folder and also priv1.edb is showing 1GB and have only 3GM of free space i am worried if it grows more, how can i control the priv1.edb file

Posted by: Srikrishna at Mar 10, 2004 5:25:13 AM

The best method is probably by making sure that you have storage limits configured.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319583

It also sounds like your box isn't too highly spec'd.

Posted by: Chris Meirick at Mar 10, 2004 2:21:28 PM

Of course, a Scheduled Task to deal with BadMail is easy, but, curious... perhaps we could point the BadMail folder to the Recycle Bin path. It has it's own storage limiter. Anyone tried it?

Posted by: Erik at Mar 23, 2004 12:27:49 PM

Hi
I was wondering if you would be able to help me out. I was informed that exchange 2003 has anti-spam filtering and attachment blocking built in. Do you know of any resources that will help me setup these features.

Thank you
Imtiaz

Posted by: imtiaz at Mar 25, 2004 6:54:53 AM

Hi Imtiaz... I would suggest that you take a look at this page...

http://www.microsoft.com/exchange/techinfo/security/antispam.asp

Exchange 2003 has some anti-spam capabilities, including when coupled with Outlook 2003, but more possibilities/features are to come later this year with the introduction of Intelligent Message Filter (IMF)

http://hellomate.typepad.com/exchange/2003/12/plenty_of_spam_.html

Currently you can make use of…

Realtime Blackhole Lists
http://hellomate.typepad.com/exchange/2003/09/another_new_fea.html

Outlook 2003’s Junk Mail Filter
http://www.microsoft.com/office/editions/prodinfo/junkmail.mspx

Sender & Recipient Filtering and Global Deny and Accept Lists

Proper attachment filtering meanwhile really requires a third party product be-it anti-spam or anti-virus. Sybari’s Antigen for Exchange for example provides good filtering capabilities. Although there are of course also ways to prevent specified attachment types from being available to Outlook/OWA users.

Posted by: Chris Meirick at Mar 25, 2004 8:16:48 AM

Hi,

I'd really like to download the script that automatically purges the BadMail folder, but the link is broken. Could I find it elsewhere?

The report script works beautifully.

Thanks!

Bill

Posted by: Bill Fergus at Apr 6, 2004 8:13:20 AM

Hi Bill,

The link's working again... sorry for the problem.

Posted by: Chris Meirick at Apr 6, 2004 1:13:06 PM

Hi everyone,

I am trying to use the badmailreport.wsf script and it doesn't work. I use the following syntax: csript badmailreport.wsf. All i get is a box with the number 0 in it ! No message is sent at all. Of course, there are bad mails in the badmail folder.

Can you help me?
Thank's
Eric

Posted by: Eric Solinas at Apr 13, 2004 7:40:09 AM