Bad Mail Black Hole

It'll take some careful investigation to figure out why bad mail on your Exchange server is eating up disk space.

Bill: I recently took over the tech support for a small mortgage company. They are running two Dell 4600 servers both with Windows Server 2000. One server is configured as an Exchange 2000 server, data and print server and the other is set up as a RightFAX and Citrix server. My issue is that the Exchange server "badmail" directory has more than 230,000 files (1.8GB) in it.

I am looking for suggestions on how to remove these files and manage their removal more frequently in the future. This is a production server and the client wants minimal downtime. Appreciate any suggestions. Google and Experts Exchange haven't been as helpful as I would have hoped.
—David

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

David: The first thing to do is delete the BadMail folder. To do this, stop the SMTP service, rename the BadMail folder to BadMailOld, create a new BadMail folder, then start the SMTP service again. You should be able to send and receive messages without a problem.

Next, pick through the messages in BadMailOld to figure out why you have so many items. The files with the BAD extension are text files that you can read with Notepad.

If this is a public-facing Exchange server, or it is accessible from the Internet, you may have been targeted as an SMTP relay. If you find lots and lots of messages sent to outside recipients with content that could not have originated in your organization, check your SMTP relay setting to make sure you have not inadvertently permitted unauthenticated entities. Correct this quickly, as you could be blacklisted by one or more anti-spam service providers.

Also, scan for viruses to make sure you haven't been infected with a worm that installs an open proxy, which is becoming a favorite exploit. Run netstat -an and verify that you can account for each open port. The Tcpview utility from www.sysinternals.com is handy for this work because it lists the executable that listens on each open port. The fport utility from www.foundstone.com is also useful for port identification.

If this is not a public-facing server and it is not infected or otherwise exploited, you may have a public folder replication problem that is causing hierarchy and backfill content to build up in BadMail. Or the items may be coming from the RightFax server, which might be storing old copies of faxes in BadMail.

Once you determine the cause of the buildup, delete the BadMailOld folder and you'll get back your 1.8GB of storage.

There's no way to automate this process that I know of other than to write a batch file to go through these same steps. The batch file might look like this, assuming that your Exchange files are on the E drive:

Net stop smtpsvc
cd "e:\program files\exchsrvr\mailroot\vsi 1"
Ren badmail badmailold
Move badmailold \\server\share\badmailanalysis
Md badmail
Net start smtpsvc

Hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured