Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
HealthMailbox....... thousands of tranfers appearing in SPAM quarantine

Unanswered HealthMailbox....... thousands of tranfers appearing in SPAM quarantine

  • Monday, November 19, 2012 7:17 PM
     
     
    Sign In to Vote
    0

    I've asked this question on another forum without an answer so I thought I would try here.

    This relates to Exchange 2013.  During Friday through to Monday I am picking up thousands of spam items sent from inboundproxy@inboundproxy.com and up to five HealthMailboxes are involved.  The healthmailboxes have accounts in AD and appeared during the Exchange installation.

    Here is and example -

    Diagnostic information for administrators:

    Generating server: EXCHANGE2.xxxxx.yyyyyyyy.yy.yy

    HealthMailbox168a97e4814144848b101e39c3482fca@xxxxx.yyyyyyyy.yy.yy
    #550 5.2.1 Content Filter agent quarantined this message ##

    Original message headers:

    Received: from EXCHANGE2.xxxxx.yyyyyyyy.yy.yy (192.168.0.72) by
     EXCHANGE2.xxxxx.yyyyyyyy.yy.yy (192.168.0.72) with Microsoft SMTP Server
     (TLS) id 15.0.516.32; Mon, 19 Nov 2012 19:20:48 +0000
    Received: from InboundProxyProbe (::1) by EXCHANGE2.xxxxx.yyyyyyyy.yy.yy
     (::1) with Microsoft SMTP Server id 15.0.516.32 via Frontend Transport; Mon,
     19 Nov 2012 19:20:48 +0000
    Subject: Inbound proxy probe
    Message-ID: <2e1d9dd2-d71e-4c23-9b5a-b8e12c109e57@EXCHANGE2.xxxxx.yyyyyyyy.yy.yy>
    From: <inboundproxy@inboundproxy.com>
    To: Undisclosed recipients:;
    Return-Path: inboundproxy@inboundproxy.com
    Date: Mon, 19 Nov 2012 19:20:48 +0000
    MIME-Version: 1.0
    Content-Type: text/plain
    Received-SPF: Fail (EXCHANGE2.xxxxx.yyyyyyyy.yy.yy: domain of
     inboundproxy@inboundproxy.com does not designate ::1 as permitted sender)
     receiver=EXCHANGE2.xxxxx.yyyyyyyy.yy.yy; client-ip=::1;
     helo=InboundProxyProbe;

     
    Can anyone spread light on this, is it normal behaviour and if not how can I stop it?  The exchange installation is on a green field domain.  The exchange server is an OOTB installation on a single VM.






     

All Replies

  • Saturday, November 17, 2012 9:26 AM
     
     
    Sign In to Vote
    0

    Can anybody throw some light onto why I'm seeing thousands of spam emails going to HealthMailbox<GUID>. I guess these are originating from the 'Microsoft Exchange Health Manager' service, but why? Is it normal behaviour and if not what do I need to do to stop it?

    Diagnostic information for administrators:

    Generating server: EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx

    HealthMailboxd32564304edf4f1ca268412e9beca645@local.roycemcintyre.co.uk
    #550 5.2.1 Content Filter agent quarantined this message ##

    Original message headers:

    Received: from EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx (192.168.0.72) by
     EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx (192.168.0.72) with Microsoft SMTP Server
     (TLS) id 15.0.516.32; Sat, 10 Nov 2012 00:22:20 +0000
    Received: from InboundProxyProbe (::1) by EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx
     (::1) with Microsoft SMTP Server id 15.0.516.32 via Frontend Transport; Sat,
     10 Nov 2012 00:22:20 +0000
    Subject: Inbound proxy probe
    Message-ID: <9438ef9d-1303-450d-87f1-884b9a2041f0@EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx>
    From: <inboundproxy@inboundproxy.com>
    To: Undisclosed recipients:;
    Return-Path: inboundproxy@inboundproxy.com
    Date: Sat, 10 Nov 2012 00:22:20 +0000
    MIME-Version: 1.0
    Content-Type: text/plain
    Received-SPF: Fail (EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx: domain of
     inboundproxy@inboundproxy.com does not designate ::1 as permitted sender)
     receiver=EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx; client-ip=::1;
     helo=InboundProxyProbe;

    No errors reported in the Event log



     
  • Saturday, November 17, 2012 9:54 PM
     
     
    Sign In to Vote
    0
    On Sat, 17 Nov 2012 09:26:52 +0000, Frogman_x0040_3guysonsharepoint
    wrote:
     
    >Can anybody throw some light onto why I'm seeing thousands of spam emails going to HealthMailbox<GUID>. I guess these are originating from the 'Microsoft Exchange Health Manager' service, but why? Is it normal behaviour and if not what do I need to do to stop it?
    >
    >Diagnostic information for administrators:
    >
    >Generating server: EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx
    >
    >HealthMailboxd32564304edf4f1ca268412e9beca645@local.roycemcintyre.co.uk #550 5.2.1 Content Filter agent quarantined this message ##
    >
    >Original message headers:
    >
    >Received: from EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx (192.168.0.72) by EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx (192.168.0.72) with Microsoft SMTP Server (TLS) id 15.0.516.32; Sat, 10 Nov 2012 00:22:20 +0000 Received: from InboundProxyProbe (::1) by EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx (::1) with Microsoft SMTP Server id 15.0.516.32 via Frontend Transport; Sat, 10 Nov 2012 00:22:20 +0000 Subject: Inbound proxy probe Message-ID: <9438ef9d-1303-450d-87f1-884b9a2041f0@EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx> From: <inboundproxy@inboundproxy.com> To: Undisclosed recipients:; Return-Path: inboundproxy@inboundproxy.com Date: Sat, 10 Nov 2012 00:22:20 +0000 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: Fail (EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx: domain of inboundproxy@inboundproxy.com does not designate ::1 as permitted sender) receiver=EXCHANGE2.xxxxxx.xxxxxxxxx.xx.xx; client-ip=::1; helo=InboundProxyProbe; No errors reported in the Event log
     
    Do you have multiple receive connectors? Multipl Exchange HT server
    roles?
     
    Get-SenderReputationConfig | fl open*
     
    If the OpenProxyDetectionEnabled is set to "True" try turning it off
    and see if that stuff disappears. If it does I'm not sure what the fix
    is unless you have some odd arrangement of IP addresses and you
    haven't identified the networks properly in the "Organization
    Configuration / Hub Transport / Global Settings / Transport Settings /
    Message Delivery" dialog box.
     
    Since it's Exchange 2013 I don't have a definitive answer for you. But
    the open proxy detection is probably the source of your problem.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     
    --- Rich Matheisen MCSE+I, Exchange MVP
     
  • Sunday, November 18, 2012 10:03 AM
     
     
    Sign In to Vote
    0

    Thanks Rich,

    The installation is on a single server and everything is out of the box.  I have tried all of your suggestions, without success with the exception of the 'odd arrangement of IP...' There are no odd arrangements. BTW the instructions you gave for identifying the networks no longer apply to 2013 but thank you all the same.

    Anyone else with any ideas?  A further piece of info ... the activity I am seeing has a pattern.  It occurs approximately every 7 days!

     
  • Tuesday, November 20, 2012 6:46 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi

    Please have an attempt to restart the transport service, or if it is possible,try a reboot.

    Also, how about setting the SCLQuarantineThreshold to 6

    Set-Mailbox -identity user -SCLQuarantineThreshold 6

    Not sure it will work or not, just have a try

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com

    Zi Feng

    TechNet Community Support

     
  • Tuesday, November 20, 2012 9:07 AM
    Moderator
     
     
    Sign In to Vote
    0

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thanks,

    Evan Liu

    TechNet Subscriber Supportin forum

    If you have any feedback on our support, please contact tnmff@microsoft.com

    Evan Liu

    TechNet Community Support

     
  • Tuesday, November 20, 2012 2:04 PM
     
     
    Sign In to Vote
    0

    Hi,
    I see the same thing. Thousands of messages now stored in the HelthMailboxes

    This picuture show how the itemcount increases. I used to have the AntiSpam Agents installed, so the first HelthMailbox has 5000 items in the Junk-folder.

    Martina Miskovic



     
  • Tuesday, November 20, 2012 6:58 PM
     
     
    Sign In to Vote
    0
    Five hours later, this is what I see now.

    Martina Miskovic

     
  • Monday, November 26, 2012 2:43 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi

    Any update on this thread?

    Cheers

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttnmff@microsoft.com

    Zi Feng
    TechNet Community Support

     
  • Monday, November 26, 2012 3:50 PM
     
     
    Sign In to Vote
    0

    Hi Zi,

    Sorry for the delay in getting back to you. 

    In response to your suggestions ---

    Yes, I have rebooted which did not resolve the issue.

    The SCLQuarantineThreshold is already at 6.  In all honesty I did not think that this would stop the traffic.  If anything it would simply remove it from quarantine.

    I have raised this as an issue here

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/thread/d3270e58-c27b-4699-b4aa-478ba295787f

    As you can see I'm not the only one with this problem.

     


     
  • Tuesday, November 27, 2012 2:04 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi

    I will merge this thread to that thread, and some familiar person is working on that thread

    Cheers

    Zi Feng
    TechNet Community Support

     
  • Wednesday, November 28, 2012 12:26 PM
     
     
    Sign In to Vote
    0

    Yeah, I have the same thing but it is made worse because I have a journaling mailbox that receives a copy of all eMails!  This means not only are these health mailboxes filling up with thousands of "test" emails but so is my journaling mailbox!

    How can we stop them?


    • Edited by Alanasff Wednesday, November 28, 2012 12:27 PM
    •  
     
  • Thursday, November 29, 2012 2:57 AM
     
     
    Sign In to Vote
    0

    I have the same issue. It looks like a message is generated every 5 minutes. In addition, there are messages from inboundproxy @ inboundproxy.com. There are not as many of these.

     
  • Monday, December 10, 2012 9:12 AM
     
     
    Sign In to Vote
    0

    Hello,

    Any news on this, I have eMails building up at a rate of about 6000 a week!  Can I delete them? Beter still how can I stop them in the first place?

     
  • Tuesday, December 11, 2012 3:34 PM
     
     
    Sign In to Vote
    0

    Here is a workaround described how to exclude those Messages from journling: http://www.expta.com/2012/12/exchange-2013-health-check-monitors-and.html

    It does not seem to be already documented how to manage those preconfigured health checks

     

     
  • Wednesday, January 02, 2013 10:30 AM
     
     
    Sign In to Vote
    1

    I don't think you can do much about the presence and operation of the health mailboxes as they are part of Exchange 2013. You can control them somewhat. Jeff gave good guidance in his post. You could try applying retention policies too... Here's how http://thoughtsofanidlemind.wordpress.com/2013/01/02/exchange-2013-health-mailboxes/

    - Tony

     
  • Tuesday, February 19, 2013 7:46 PM
     
     
    Sign In to Vote
    0

    I don't think you can do much about the presence and operation of the health mailboxes as they are part of Exchange 2013. You can control them somewhat. Jeff gave good guidance in his post. You could try applying retention policies too... Here's how http://thoughtsofanidlemind.wordpress.com/2013/01/02/exchange-2013-health-mailboxes/

    - Tony

    Tony I attempted to set a retention policy for the mailboxes which failed.  As you quite rightly pointed out the Health Mailboxes appear as 'UserMailbox' type.  I also tried this -

    [PS] C:\Windows\system32>Get-Mailbox -Identity healt* | Set-Mailbox -RetentionPolicy 'Health Mailboxes Retention Policy'
    The read-only property doesn't support this operation.
        + CategoryInfo          : NotSpecified: (:) [Set-Mailbox], InvalidObjectOperationException
        + FullyQualifiedErrorId : 39982A54,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
        + PSComputerName        : exchange2.xxxxxxxxx

    The RetentionPolicy propertiy for these mailboxes appear to be readonly.

    Ideas?

     
  • Thursday, March 07, 2013 12:40 AM
     
     
    Sign In to Vote
    0
    I'm having the same issue here. Is there a way to empty those items out?
     
  • Saturday, March 09, 2013 9:16 AM
     
     
    Sign In to Vote
    0

    What I have done to at least get rid of the quarantine message is to add the inboundproxy user to the senders list which are bypassed by the spam agent.

    Set-ContentFilterConfig -BypassedSenders inboundproxy@inboundproxy.com

    Still looking for a way to clean the mailboxes.

     
  • Saturday, March 23, 2013 11:00 AM
     
     
    Sign In to Vote
    0
    this might help you: http://technology.bauzas.com/microsoft/servers/exchange/exchange-2013/why-is-my-exchange-2013-server-generating-a-lot-of-emails-from-maildeliveryprobemaildeliveryprobe-com-and-inboundproxyinboundproxy-com
    • Edited by dw_at Saturday, March 23, 2013 11:00 AM
    •  
     
  • Thursday, April 11, 2013 1:20 PM
     
     
    Sign In to Vote
    0

    i found exchage 2013 automatically start the service 'MSExchangeHM' as default.

    [PS] C:\>get-service MSExchangeHM | fl

    Name                : MSExchangeHM
    DisplayName         : Microsoft Exchange Health Manager
    Status              : Stopped
    DependentServices   : {}
    ServicesDependedOn  : {eventlog}
    CanPauseAndContinue : False
    CanShutdown         : False
    CanStop             : False
    ServiceType         : Win32OwnProcess

    This service will generate health check mail in x interval.

    stop it and set Manual to start!

     
  • Thursday, April 11, 2013 1:30 PM
     
     
    Sign In to Vote
    0

    What are the implications and consequences of this action?

    Just health probe or something more?

    Regards,
    Greg

     
  • Tuesday, April 16, 2013 7:33 PM
     
     
    Sign In to Vote
    0

    see my posts in the thread below for a solution

    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/284ec38e-1f2b-4571-aead-66826079af20