Exchange 2003 mail non-delivery (NDR), spam activity? events 7002 & 7004
Windows Server 2003 Small Business Server SP2
Exchange Version 6.5 (Build 7638.2: Service Pack 2)
This network has been neglected and has been having email problems for years and was on many blacklists. I was called in after the server eventually crashed... I got the server back up and running, but email problems persist.
Outgoing mail delivery is sporadic. Sometimes the mail goes through, sometimes a delayed delivery report is generated after a day or more, and sometimes it seems to go through, but the recipient never receives it.
Not sure if spammers are successfully using the server as a relay (see event entries below after turning on maximum SMTP logging)...
- User PCs infected with viruses and server was blacklisted on many sites (I used mxtoolbox.com)
- I have cleaned all the PCs and changed all passwords (including administrator)
- I have requested removal from all of the blacklists - most have removed the listing, some take more time.
I have setup rDNS pointer records with the ISP (Comcast) - that was one reason for some of the blacklistings.
I have tested that it's not an open relay using telnet as described here:
www.amset.info/exchange/smtp-openrelay.aspI followed the advise of a Spamhaus & Microsoft article to enable maximum SMTP logging. http://www.spamhaus.org/faq/answers.lasso?section=isp%20spam%20issues#320
which directed me to Microsoft KB article 895853, specifically, the part 2/3 down titled:
"If mail relay occurs from an account on an Exchange computer that is not configured as an open relay" .
The Application Event Log is filling with this type of activity (Event ID 7002, 7002 & 3018 errors):
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7004
Date: 1/18/2011
Time: 7:33:29 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #621. The remote host "212.52.84.180", responded to the SMTP command "rcpt" with "550 #5.1.0 Address rejected [email protected] ". The full command sent was "RCPT TO: ". This will probably cause the connection to fail.
and this:
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 1/18/2011
Time: 7:33:29 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #620. The remote host "212.52.84.170", responded to the SMTP command "rcpt" with "452 Too many recipients received this hour ". The full command sent was "RCPT TO: ". This may cause the connection to fail.
or a variant of:
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 1/18/2011
Time: 8:39:21 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #661. The remote host "82.57.200.133", responded to the SMTP command "rcpt" with "421 Service not available - too busy ". The full command sent was "RCPT TO: ". This may cause the connection to fail.
also
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 1/18/2011
Time: 9:49:37 AM
User: N/A
Computer: SERVER
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;[email protected] (Message-ID ).
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
Data:
0000: ef 02 04 c0 ï..À
Any guidance and/or suggestions and/or tests to perform would be greatly appreciated.
To fix this get a new IP address for your outbound mail server ASAP. Remember to also realign reverse dns for the IP address. Also continue on with the blacklist removals. If you cannot get an external IP consider a 3rd party mail filtering service or a gateway.
As a follow up, don't send mail directly from exchange out to the internet. If possibly put in a secondary mail gateway that will allow you to better manage your outbound emails. You can set this up very easily if you have a bit of linux experience, and also you can keep a good record of who is using your email server for what. You could also do this by enabling SMTP logging on the SMTP virtual server in exchange, but I find even this log to be a bit of a pain to get accurate measurements for.
If you cannot use a gateway, even if just as a temporary measure use an external provider such as postini or message labs. http://www.google.com/postini/index.html