Stopping Sophos PureMessage 3.0 from Generating an NDR Storm

I upgraded to the latest version of Sophos PureMessage (v2.6.1 upgrade to v3.0) on an SBS 2003 server.

The upgrade went smoothly as per usual. Hats off to Sophos for providing good quality products and excellent documentation.

This version now includes AD integration and allows for recipient validation. I enabled this, as well as verifying the upgraded settings. I kept an eye on progress for about 90 minutes as I was performing other administrative tasks.

When I came back to it the next morning, the server was being sluggish. Investigation showed that the were several thousand NDRs queued up, and further investigation revealed that the Exchange journal mailbox was bouncing Read Receipts with a Permission Denied error back to PureMessage. Unfortunately, the Read Receipts had no From header, so PureMessage was generating an NDR and trying to send it to an address of '<', which is a completely invalid address. This was then escalating an alert message to the Alert address, which had filled up the resulting mailbox. The mail bounce that was occuring was also generating an unscannable error due to too many nested attachments, which also queued up an alert message.

The remedial action was to remove the administrator alert address. This stopped the queuing. I then turned off administrator alerts for the On Unscannable action for the Exchange Store scanning and the Transport scanning. This helped stopped further NDR flooding.

The final action I performed that finally killed the NDR storm was to fire up the Exchange System Manager, go into the SmallBusiness SMTP Connector properties, go into Content Restrictions and turn off System Messages.

I also opened up the Delivery Restrictions placed on the mailbox that I'm using for Exchange Journalling until I can verify what the appropriate restrictions should be on the mailbox such that it works with PureMessage 3.0, seeing as the previous settings worked fine with PureMessage 2.6.1 (which was only accept messages from the Exchange Journalling mailbox).

Exchange Server 2003 Mailbox Recovery Using Recovery Storage Groups, NTBackup and Exmerge

OK, this is my quick-n-dirty guide to recovering a mailbox from an Exchange 2003 system. I'll tidy it up later.

• Download Exmerge from Microsoft


• Follow the instructions in MSKB 292509 to create a group that will allow the Administrator account to read/write mailbox data


• Open Exchange System Manager, expand Servers. Right-click on <server name> under Servers. Select New > Recovery Storage Group...


• Enter in a name for the RSG and also the file locations. The defaults are fine. Click OK


• Right-click on the Recovery Storage Group object.


• Choose Add Databases to Recover…


• Highlight the Mailbox Store (the one to be restored).


• Enable This Database can be overwritten by a restore


• Run NTBackup, select Restore and Manage Media, find the correct media, expand the Exchange Information Store and select Logs and Mailbox Store.


• Click Start Restore, Restore to <server name>, and set the Temporary location to the file location used to create the Recovery Storage Group. Enable Last Restore Set.


• After the database has been restored, mount the Recovery Storage Group database using Exchange Server Manager.


• Run Exmerge and select Extract or Import (Two Step Procedure).


• Select Step 1.


• Enter in <server name> for Exchange Server Name.


• Select Recovery Storage Group database.


• Select Mailbox to recover.


• Select Folder location to save .PST files to.


• Start ExMerge, click Next


• Choose Extract or Import (Two Step Procedure)


• Pick Step 2: Import data into an Exchange Server Mailbox


• Again type the name of your Exchange server then click Next


• Mark the mailboxes you want to merge, click Next twice


• Specify where the .PST files should be merged from and click Next


• Check mailbox data, then Dismount RSG database and remove files from the RSG file location


• You're done!