Bad Mail Black Hole

It'll take some careful investigation to figure out why bad mail on your Exchange server is eating up disk space.

Bill: I recently took over the tech support for a small mortgage company. They are running two Dell 4600 servers both with Windows Server 2000. One server is configured as an Exchange 2000 server, data and print server and the other is set up as a RightFAX and Citrix server. My issue is that the Exchange server "badmail" directory has more than 230,000 files (1.8GB) in it.

I am looking for suggestions on how to remove these files and manage their removal more frequently in the future. This is a production server and the client wants minimal downtime. Appreciate any suggestions. Google and Experts Exchange haven't been as helpful as I would have hoped.
—David

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

David: The first thing to do is delete the BadMail folder. To do this, stop the SMTP service, rename the BadMail folder to BadMailOld, create a new BadMail folder, then start the SMTP service again. You should be able to send and receive messages without a problem.

Next, pick through the messages in BadMailOld to figure out why you have so many items. The files with the BAD extension are text files that you can read with Notepad.

If this is a public-facing Exchange server, or it is accessible from the Internet, you may have been targeted as an SMTP relay. If you find lots and lots of messages sent to outside recipients with content that could not have originated in your organization, check your SMTP relay setting to make sure you have not inadvertently permitted unauthenticated entities. Correct this quickly, as you could be blacklisted by one or more anti-spam service providers.

Also, scan for viruses to make sure you haven't been infected with a worm that installs an open proxy, which is becoming a favorite exploit. Run netstat -an and verify that you can account for each open port. The Tcpview utility from www.sysinternals.com is handy for this work because it lists the executable that listens on each open port. The fport utility from www.foundstone.com is also useful for port identification.

If this is not a public-facing server and it is not infected or otherwise exploited, you may have a public folder replication problem that is causing hierarchy and backfill content to build up in BadMail. Or the items may be coming from the RightFax server, which might be storing old copies of faxes in BadMail.

Once you determine the cause of the buildup, delete the BadMailOld folder and you'll get back your 1.8GB of storage.

There's no way to automate this process that I know of other than to write a batch file to go through these same steps. The batch file might look like this, assuming that your Exchange files are on the E drive:

Net stop smtpsvc
cd "e:\program files\exchsrvr\mailroot\vsi 1"
Ren badmail badmailold
Move badmailold \\server\share\badmailanalysis
Md badmail
Net start smtpsvc

Hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Tue, Jun 15, 2004 Michael Norway

Because of a network error my server has not sendt mail for 1 week. They are all in the badmail folder. Can i rename the '.BAD files to .eml (iis 5.0 not exchange) and put them in the pickup or drop folder to send them? Pleace send a e-mail to. Thx

Wed, Apr 21, 2004 dev-hda1 Anonymous

Great help, we also have had a badmail problem. This article was about the best explained solution I came across.

Sat, Mar 6, 2004 Srikrishna Tanzania

Wow this was a great Article which solved my problem and was trying to figure out how to fix it, Thanks a ton for the supported article which made my life easier

Tue, Dec 23, 2003 ecb dallas

Two problems with most of these scripts;
1. IF SMTP is on, it's dumping to the dir. That will slow down any DEL command. esp if you are being spammed.
2. SMTP itself will create the folder listed in the badmail setting.

Here is the badmail part of our cleanup I use. 2x a day, (eve, and early morn).

NET STOP SMTP
REM
rd e:\badmail /s /q >>e:\logs\badmail.log
NET START SMTP

Mon, Dec 8, 2003 Anonymous Anonymous

very good read

Sat, Dec 6, 2003 Anonymous Anonymous

great tip!!!Any new regarding "restricting echange 2000 external relay" issue????

Wed, Nov 26, 2003 GS London

Brilliant - It should hit major headlines in all the IT Press. What is the Exchange Manager program for - It can't even handle this problem.

Tue, Nov 25, 2003 Daniel Milburn Salt Lake City

I simply run an AT job every night at midnight to delete all files in the badmail folder. It doesn't interfere with smtp because the folder is never deleted. It works great: @ECHO OFF
DEL "C:\Program Files\Exchsrvr\Mailroot\vsi 1\BadMail\*.*" /F /Q > nul:

Sat, Nov 15, 2003 Charles Anonymous

This is a big security hole as far as I’m concerned. Someone could take down your exchange server and out of the box without another piece of software you can’t do anything about it. According to Microsoft this is by design and can’t be turned off. With Exchange5.5 it would sit in a queue until the time ran out and simply be deleted. With Exchange2k or Exchange2k3 it dumps to your harddrive. Someone could target your server and send it a 1meg bad mail message every 2 seconds starting on Friday night and on Monday morning when you came in you would be down! I’ve ranted and raved about this in the Microsoft news groups to no avail. I mean I can set a max. mailbox size, circular logging on, then you leave a hole like this open??? What’s wrong with them?
We wrote our own piece of software that manages this directory. It logs and deletes the contents of this directory. We tried to take it one more step and write the IP addresses to the metabase of exchanges block list, after sometime on the phone the the MSDN team they claim it can’t be done and is not supported. Thanks Microsoft. Nut shell “give us the ability to turn this on or off”. Simple!!!! -Charles (systems engineer)

Wed, Nov 5, 2003 Neil Newcastle Australia

Help! Exchange server spam mail every where. Downloaded lastest virus Defs no virus found .50000+emails in inbox. Slowing down network Any ideas???

Tue, Nov 4, 2003 John Anonymous

I have examined the many files in my Badmail folder and have found that most of them are junk e-mails to former employees that no longer have mailboxes on the exchange server.

Tue, Nov 4, 2003 Anonymous Anonymous

Good article...only problem I see is assuming first that there is a relay or virus. It could be as simple as deleted user accounts that are getting spammed and the NDR get kicked back, filling up the badmail folder . I think this would be the most common reason peoples badmail folder gets huge.

Tue, Nov 4, 2003 Rob Anonymous

I get about 7,000 per month (x3 files per bad mail = 21,000 files).
I've discovered that 20% of them are rejects from AOL (someone is faking spam from our domain and AOL sends us the failed deliveries).
AOL wa not willing to ending those, so we stopped at 64.12.238.* traffic at our router.
You don't need to stop any services if you simply want to delete all the files at any time.

Tue, Nov 4, 2003 Bill Clardy Certified Network Solutions

The overall advice is sound as far as it goes, but it overlooks the potential impact on the rest of the system. I recently dealt with an Exchange 2000 server where the badmail directory grew to more than 5GB with more than a million files -- and the Master File Table for that partition had swollen to more than 1 GB in 45,000 fragments scattered all across the partition (and only 2 percent in use after emptying the badmail directory). Effectively, that partition was permanently fragmented, and the most cost-effective method for defragmenting it was to reformat and reinstall (after backing up the Exchange data).

Tue, Nov 4, 2003 Shawn Hayes Anonymous

No need to stop the SMTP service. Just write a batch file to delete the files in the folder. Badmail builds by messages intended for a recipient that does not exist on your server and a null From: or Return: address. Create an AT job that runs once a week to squash the files.

Tue, Nov 4, 2003 Bob Smith Univ. of Pgh.

I have been manually dealing with this problem for some time now wondering if there was a better way. This script is something, but still kind of "clunky". The whole BadMail folder things seems kind of an after-thought or un-finished business item created by Microsoft. There definately needs to be an automated way to manage this folder through Exchange; one that limits the space and retention times for these e-mails that ought to go directly to the Recycle bin in the first place-hey there is a thought...would that work?

Tue, Nov 4, 2003 Dan Tripp Anonymous

Ok, so the response form ignored the line feeds. Point is, the service should be stopped, the directory renamed, a new "badmail" directory created, THEN the service restarted, and LASTLY copy the data for analysis elsewhere (or just delete it).

Tue, Nov 4, 2003 Dan Tripp Anonymous

I take issue with this script as a solution, as it would create unneeded server downtime. The "bad files" should be moved *after* the new badmail directory is created and the service is restarted.

So, instead of this:
=========================
Net stop smtpsvc
cd "e:\program files\exchsrvr\mailroot\vsi 1"
Ren badmail badmailold
Move badmailold \\server\share\badmailanalysis
Md badmail
Net start smtpsvc

Do this:
=========================
Net stop smtpsvc
cd "e:\program files\exchsrvr\mailroot\vsi 1"
Ren badmail badmailold
Md badmail
Net start smtpsvc
Move badmailold \\server\share\badmailanalysis

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.