Unknown E-Mails in the Queue
-
Friday, May 27, 2011 8:31 AM
Hi!
I have some messages like this in my Exchange 2007 queue. Does anybody have an idea about this:
Identity: Exchange-SVR\58222\20762
Subject: Undeliverable: BUSINESS COLLABORATION!!
Internet Message ID: <63c577c8-acf1-401b-b5e5-314ec099c1cf>
From Address: <>
Status: Ready
Size (KB): 6
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 26/05/2011 10:43:59 AM
Expiration Time: 28/05/2011 10:43:59 AM
Last Error:
Queue ID: Exchange-SVR\58222
Recipients: v114655@web03.njtech.comThanks.
All Replies
-
Friday, May 27, 2011 8:43 AMyea,probably spam
Sukh -
Friday, May 27, 2011 10:42 AM
I have some messages like this in my Exchange 2007 queue.
Does anybody have an idea about this:
Identity: Exchange-SVR\58222\20762
Subject: Undeliverable: BUSINESS COLLABORATION!!
Internet Message ID: <63c577c8-acf1-401b-b5e5-314ec099c1cf>
From Address: <>
Status: Ready
Size (KB): 6
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 26/05/2011 10:43:59 AM
Expiration Time: 28/05/2011 10:43:59 AM
Last Error:
Queue ID: Exchange-SVR\58222
Recipients: v114655@web03.njtech.com<mailto:v114655@web03.njtech.com>
given the above is sounds like something is trying to
relay junk through your exchange (notice not TO it,
but THROUGH it !) notice that the message is a
"Delivery Status Notification" and that it has been
generated internally (look at the source IP)I think that you should ensure that your exchange is
not an open relay and then given that's ok, you'll
need to enable logging (e.g. SMTP logging) and
carefully look at the traffic to spot the "spam" one
see, given your box isn't an open relay, the above
may mean two things* One of your accounts got compromised so someone
from "the internet" is using those credentials to connect
to your exchange and send out junkand/or
* One or more machines on your LAN got compromised
or infected and are now pumping out spam through your
exchange servernow, a quick remediation (although not so painless) would
be changing all the accounts passwords and setting up your
exchange to always require authentication to SEND emails
(even from LAN) - done that you may proceed checking your
logs and trying to track and pinpoint the issue (if it still exists) -
Sunday, May 29, 2011 9:31 AM
The Exchange Server is not a open relay but is it normal that our exchange queue is showing 255.255.255.255 as sender's IP for our internal users e-mails?
Thanks.
-
Monday, May 30, 2011 9:00 AM
The Exchange Server is not a open relay but is it
normal that our exchange queue is showing 255.255.255.255
as sender's IP for our internal users e-mails?That's an NDR which is generated internally by exchange
so there's NO sender IP; the point is... you'll need to find
out WHY those NDRs are generated (what's causing them)
and then you'll find the cause of your issueSome further checks may be ensuring that your exchange
is performing recipient verification and also enabling the
SMTP log and checking it to see if there's any "anomalous"
mail traffic taking place and which IP is generating it -
Friday, July 15, 2011 8:32 PM
Hello create_Share,
It was a Reverse NDR (<>) in exchange 2007 or Exchange 2010. Which is same as Postmaster Emails in Exchange 2003 server.
It was generated if Emails is moving out from your Exchange server and the Recipient is not present on the Internet, in that case your server generate a blank sender <> Email. You can select those blank Sender Emails from Queue and Delete without sending NDR.
To stop the Reverse NDR (<>) the Antispam feature on the server or you can use any third party Antivirus Software to block the blank sender <> Email.
It will help to fix the issue.
EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT- Proposed As Answer by PKT_ Friday, July 15, 2011 8:32 PM
-
Friday, July 15, 2011 9:31 PM
Just an OT note: do you know that self-marked answers won't give you any "point" ?
-
Saturday, July 16, 2011 11:51 PMabsolutely, i have encountered that also.
-
Monday, July 18, 2011 9:06 AM
Just an OT note: do you know that self-marked answers won't give you any "point" ?
Really? How do they work then?
Sukh -
Monday, July 18, 2011 10:42 AM
Just an OT note: do you know that self-marked answers won't give you any "point" ?
Really? How do they work then?
See this post from Brent Serbus, and in particular this message which reads
Quote:
If a user posts a reply and marks it as the answer (self marking) they will no longer get points, correct. The recalculation going live tomorrow will reflect these new rules. The self marking points allocation was reported over a year ago and this release will resolve that.
I think it's pretty clear
.png)
