none
Unknown E-Mails in the Queue

    Question

  • Hi!

    I have some messages like this in my Exchange 2007 queue. Does anybody have an idea about this:

    Identity: Exchange-SVR\58222\20762
    Subject: Undeliverable: BUSINESS COLLABORATION!!
    Internet Message ID: <63c577c8-acf1-401b-b5e5-314ec099c1cf>
    From Address: <>
    Status: Ready
    Size (KB): 6
    Message Source Name: DSN
    Source IP: 255.255.255.255
    SCL: -1
    Date Received: 26/05/2011 10:43:59 AM
    Expiration Time: 28/05/2011 10:43:59 AM
    Last Error:
    Queue ID: Exchange-SVR\58222
    Recipients:  v114655@web03.njtech.com

     

    Thanks.

    Friday, May 27, 2011 8:31 AM

All replies

  • yea,probably spam
    Sukh
    Friday, May 27, 2011 8:43 AM
  • I have some messages like this in my Exchange 2007 queue.
    Does anybody have an idea about this:

    Identity: Exchange-SVR\58222\20762
    Subject: Undeliverable: BUSINESS COLLABORATION!!
    Internet Message ID: <63c577c8-acf1-401b-b5e5-314ec099c1cf>
    From Address: <>
    Status: Ready
    Size (KB): 6
    Message Source Name: DSN
    Source IP: 255.255.255.255
    SCL: -1
    Date Received: 26/05/2011 10:43:59 AM
    Expiration Time: 28/05/2011 10:43:59 AM
    Last Error:
    Queue ID: Exchange-SVR\58222
    Recipients:  v114655@web03.njtech.com

    <mailto:v114655@web03.njtech.com>

    given the above is sounds like something is trying to
    relay junk through your exchange (notice not TO it,
    but THROUGH it !) notice that the message is a
    "Delivery Status Notification" and that it has been
    generated internally (look at the source IP)

    I think that you should ensure that your exchange is
    not an open relay and then given that's ok, you'll
    need to enable logging (e.g. SMTP logging) and
    carefully look at the traffic to spot the "spam" one
    see, given your box isn't an open relay, the above
    may mean two things

    * One of your accounts got compromised so someone
       from "the internet" is using those credentials to connect
       to your exchange and send out junk

    and/or

    * One or more machines on your LAN got compromised
       or infected and are now pumping out spam through your
       exchange server

    now, a quick remediation (although not so painless) would
    be changing all the accounts passwords and setting up your
    exchange to always require authentication to SEND emails
    (even from LAN) - done that you may proceed checking your
    logs and trying to track and pinpoint the issue (if it still exists)

    Friday, May 27, 2011 10:42 AM
  • The Exchange Server is not a open relay but is it normal that our exchange queue is showing 255.255.255.255 as sender's IP for our internal users e-mails?

     

    Thanks.

    Sunday, May 29, 2011 9:31 AM
  • The Exchange Server is not a open relay but is it
    normal that our exchange queue is showing 255.255.255.255
    as sender's IP for our internal users e-mails?

    That's an NDR which is generated internally by exchange
    so there's NO sender IP; the point is... you'll need to find
    out WHY those NDRs are generated (what's causing them)
    and then you'll find the cause of your issue

    Some further checks may be ensuring that your exchange
    is performing recipient verification and also enabling the
    SMTP log and checking it to see if there's any "anomalous"
    mail traffic taking place and which IP is generating it

    Monday, May 30, 2011 9:00 AM
  • Hello create_Share,

    It was a Reverse NDR (<>) in exchange 2007 or Exchange 2010. Which is same as Postmaster Emails in Exchange 2003 server.

    It was generated if Emails is moving out from your Exchange server and the Recipient is not present on the Internet, in that case your server generate a blank sender <> Email. You can select those blank Sender Emails from Queue and Delete without sending NDR.

     To stop the Reverse NDR (<>) the Antispam feature on the server or you can use any third party Antivirus Software to block the blank sender <> Email.

    It will help to fix the issue.


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
    • Proposed as answer by PKT_ Friday, July 15, 2011 8:32 PM
    Friday, July 15, 2011 8:32 PM
  • Just an OT note: do you know that self-marked answers won't give you any "point" ?

     

    Friday, July 15, 2011 9:31 PM
  • absolutely, i have encountered that also.
    Saturday, July 16, 2011 11:51 PM
  • Just an OT note: do you know that self-marked answers won't give you any "point" ?

     


    Really?  How do they work then?
    Sukh
    Monday, July 18, 2011 9:06 AM
  • Just an OT note: do you know that self-marked answers won't give you any "point" ?

     


    Really?  How do they work then?

    See this post from Brent Serbus, and in particular this message which reads

    Quote:

    If a user posts a reply and marks it as the answer (self marking) they will no longer get points, correct. The recalculation going live tomorrow will reflect these new rules. The self marking points allocation was reported over a year ago and this release will resolve that.

    I think it's pretty clear


    Monday, July 18, 2011 10:42 AM