locked
Exchange 2007 system attendant emails out of control RRS feed

  • Question

  • I've noticed the stat's on our journaling server have increased from an average of 10,000 emails per day to 50,000 -100,000 emails per day and we have sustained this average since 12/7/2012.  When I opened the journaling mailbox on the Exchange server (2007 sp3, Update 6) I can see emails from 'Microsoft Exchange' to the 'Microsoft System Attendant' mailbox piling in fast and furious.  I have read that this is normal but the amount of emails we are seeing is not normal based on the daily statistic's of the number of emails were are now seeing on a daily basis.  I've noticed an increase in back pressure alerts (2-3 per day) in the event log but most of those are a result of a user sending an email with a large attachment.  I have it narrowed down to one storage group because of the amount of log files that it generates but I haven't been able to locate the issue.  Can anyone help me figure out how to sniff out this problem?  I've tried some system attendant diagnostic logging on the exchange server but haven't seen anything that would lead me to the source of the problem.

    Monday, December 17, 2012 5:08 PM

Answers

  • I spoke to MS support about this today.  They told me it was a bug and provided me with a work around.  The system attendant mailbox was located in our journal database.  So we right clicked each mailbox in the EMC, selected properties and enabled journaling from a per database level, rather than from the Organization Configuration | Hub Transport | Journaling tab.  The only database we didn't do this on was the Journal database.  So now all the mailboxes are journaled except for the two mailboxes in the Journal EDB file, one being for the system attendant and the other for journaling. 

    The unfortunate issue is the system attendant mailbox is still receiving thousands of emails, it's just not being journaled.  They would not commit to releasing a hotfix or maintenance release but they did say it's not an issue in Exchange 2010. 


    • Marked as answer by urhines Tuesday, December 18, 2012 9:47 PM
    • Edited by urhines Wednesday, December 19, 2012 1:52 PM
    Tuesday, December 18, 2012 9:47 PM

All replies

  • What is in the e-mail messages?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, December 17, 2012 6:00 PM
  • I replaced our domain with DomainName in the text below.  There's no text in the subject or body when I view the message in our archive appliance.  When I open the emails in the journal mailbox they look like this:

    Sender: MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@DomainName.com

    Subject:

    Message-Id: <BEE4386EBEDDD148AEFD76EAB563B6EC01C8CD8312@DCA002.DomainName.local>

    To: DCA002-SA@DomainName.com

    Monday, December 17, 2012 6:07 PM
  • The source info looks like this:

    Received: from DCA002.OurDomain.local ([IP Address removed]) by
     DCA002.OurDomain.local ([IP Address Removed]) with mapi; Mon, 17 Dec 2012 11:19:37
     -0600
    From: Microsoft Exchange
     <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@OurDomain.com>
    To: Microsoft System Attendant <DCA002-SA@OurDomain.com>
    Date: Mon, 17 Dec 2012 11:19:37 -0600
    Subject:
    Thread-Index: Ac3cerDsSFHT/ms1S5+72EXtE8avWQ==
    Message-ID: <BEE4386EBEDDD148AEFD76EAB563B6EC01C8CD7712@DCA002.OurDomain.local>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Exchange-Organization-AuthAs: Internal
    X-MS-Exchange-Organization-AuthMechanism: 03
    X-MS-Exchange-Organization-AuthSource: DCA002.OurDomain.local
    X-MS-Has-Attach:
    X-MS-Exchange-Organization-SCL: -1
    X-MS-TNEF-Correlator:
    acceptlanguage: en-US
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    MIME-Version: 1.0

    Monday, December 17, 2012 6:13 PM
  • What is DCA002-SA?  If it's an Exchange server, what roles and how are you using it?  Is there nothing in the message text?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, December 17, 2012 6:13 PM
  • We only have one Exchange server (DCA002) with hub/cas/mail roles installed and I'm guessing SA stands for system attendant.  This is a system generated email/mailbox, nothing that I have set up.  We have 7 storage groups with a mailbox in each group.  One of the storage groups is producing mass amounts of logs so I'm guessing this is where the emails are coming from.  Correct, there is nothing in the message text.
    Monday, December 17, 2012 6:19 PM
  • This thread concludes it's normal.

    http://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaginglegacy/thread/61fb62d4-af72-4c3d-99c8-4334e48e86d9

    But it brings to mind a thought, did you decommission your Exchange 2000 or 2003 server properly, assuming that you upgraded at one point in time?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    Monday, December 17, 2012 6:26 PM
  • I saw that thread but based on what we normally receive this is not normal, see image below.  Maybe your on to something with the decommission info; I've only been here six months. 

    On 12-5 I did some clean up and disabled a user account in AD called Administrator.  This account had access to everyone's mailbox in the company and nobody knew the password.  This is a domain admin account but it was not being used to run any exchange services.  I re-enabled this account three days ago thinking this might be attributing to our issue but it has not changed anything.  Just to give you some stat's on the normal level of system attendant emails see below:

    12/3 | 424 emails

     12-5 | 310 emails

    12-6 | 10,896 emails

    12 - 7 | 57,369 emails

    12/10 | 87,654 emails

    This can't be normal.

    • Marked as answer by urhines Tuesday, December 18, 2012 9:46 PM
    • Unmarked as answer by urhines Tuesday, December 18, 2012 9:47 PM
    Monday, December 17, 2012 6:49 PM
  • I spoke to MS support about this today.  They told me it was a bug and provided me with a work around.  The system attendant mailbox was located in our journal database.  So we right clicked each mailbox in the EMC, selected properties and enabled journaling from a per database level, rather than from the Organization Configuration | Hub Transport | Journaling tab.  The only database we didn't do this on was the Journal database.  So now all the mailboxes are journaled except for the two mailboxes in the Journal EDB file, one being for the system attendant and the other for journaling. 

    The unfortunate issue is the system attendant mailbox is still receiving thousands of emails, it's just not being journaled.  They would not commit to releasing a hotfix or maintenance release but they did say it's not an issue in Exchange 2010. 


    • Marked as answer by urhines Tuesday, December 18, 2012 9:47 PM
    • Edited by urhines Wednesday, December 19, 2012 1:52 PM
    Tuesday, December 18, 2012 9:47 PM