?
Solved

Exchange 2003 7004 Errors in event log

Posted on 2005-03-22
18
Medium Priority
?
564 Views
Last Modified: 2012-06-21
I have an exchange 2003 server with SP1 installed on SBS 2003.  The server logs between 350 to 500 7004 errors a day.  Here is an example:

This is an SMTP protocol error log for virtual server ID 1, connection #5506. The remote host "195.186.18.144", responded to the SMTP command "rcpt" with "550 RCPT TO:<chousegs@bluewin.ch> User unknown ". The full command sent was "RCPT TO:<chousegs@bluewin.ch> ". This will probably cause the connection to fail. For more information, click http://www.microsoft.com/contentredirect.asp.

This looks an awefull lot like my server is trying relaying UCE to other servers.  I've read the eventid.net entry for 7004:
http://www.eventid.net/display.asp?eventid=7004&eventno=3510&source=MSExchangeTransport&phase=1

I've been to amset.info:
http://www.amset.info/exchange/spam-cleanup.asp
http://www.amset.info/exchange/smtp-relaysecure.asp 
and followed all the steps listed yet I still get the 7004s.  

I have tested that I am not an open relay.
I have followed the steps to determine if an authenticated user account is being used to relay, which it is not.
I have removed the ability of authenticated users to relay unless they are in the POP3 Relay group (described in the second link above) which is currently empty.

My server is a standalone SBS 2003 domain behind a PIX 501.  I have no fixup protocol smtp 25, access-list, and static statements in place to get the smtp traffic to and from the server.

Legitimate email is flowing fine, but this has been going on for to long and I need to isolate this problem and resolve it before I get black listed.  Please help :)
0
Comment
Question by:jamie177
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
18 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 13603391
If you look in the queues on your Exchange server - do you have a lot of email waiting to be sent out?

Simon.
0
 

Author Comment

by:jamie177
ID: 13604330
There were messages stacking up in the queues.  In an effort to keep the queues cleaned out I lowered the delay notification and expiriation time out to 15 minutes.  I know it's a bandaid and not the solution to the problem.  Unfortunately I am not well versed in exchange server management so I had to do what I had to do to keep business flowing.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 13604389
Ok.
I know you have been through my articles (I authored amset.info)... however lets check a couple of things as there are very few ways that you can open an Exchange server to relaying.

Have you got all authenticated relaying disabled?
Have you disabled ALL forms of relaying on SMTP? The common one is for people to allow relaying to their internal subnet which allows email coming from the firewall to be relayed as well.

Simon.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:jamie177
ID: 13604524
Default SMTP Virtual Server --> Access Tab --> Relay Restrictions:
Only the list below (list is empty)
Unchecked: Allow All computers which successfully authenticate to relay
Grant or deny relay permissions to specific users or groups:  
Authenticated Users - Submit Permission
POP3 Relay(Security Group) - Submit & Relay Permission (Group is ready to use, but empty)

Are there any other area where relaying is granted/denied?

Thanks for helping me here Simon.

-Jamie
0
 
LVL 104

Expert Comment

by:Sembee
ID: 13604847
Thats what it should be for SMTP VS.
Any SMTP Connectors on this machine? How are they configured?

Simon.
0
 

Author Comment

by:jamie177
ID: 13607065
General Tab:
Use DNS to route to each address space on this connector
Local Bridgeheads: (local server name)
Do not allow public folder referrals: unchecked

Address Space:
type: SMTP - Address * - Cost 1
Connector scope: entire organization

No connected routing groups

Delivery Restrictions:
By default messages from everyone are:
Accepted messages from: (empty)
Reject messages from: (empty)

Delivery Options:
Specify when messages are sent through this connector.
Connection time: always run

Advanced:
Send HELO instead of EHLO (unchecked)
Do not send ETRN/TURN
Outbound Security: Anonymous access

Let me know if there's any additional info I can provide.

Regards,

Jamie
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13610608
in ur connector do u have allow "messages to be relayed to these domains" checked?....if u do this will allow relaying through ur exchange....just take it out...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 13611832
Vahik has mentioned the location where you need to check. It is on the "Address Space" tab.

Simon.
0
 

Author Comment

by:jamie177
ID: 13612074
No, that check box is not checked.  Any other place that I may have misconfigured which is allowing relaying?  I'm totaly stumped here.
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13612453
this is strange????why dont u restart ur server.....i mean exchange server....
0
 

Author Comment

by:jamie177
ID: 13612498
The server has been rebooted serveral times while this problem has been present, but the 7004s persist... :(  I'm almost to the point where I want to uninstall/reinstall exchange 2003.  The only problem with that is I have alot of data in the companyweb that needs to be retained.

Any other ideas?
0
 

Author Comment

by:jamie177
ID: 13613718
Do the Advanced settings on the SMTP Connector have anything to do with it, specifically the outbound security:

Advanced:
Send HELO instead of EHLO (unchecked)
Do not send ETRN/TURN
Outbound Security: Anonymous access
0
 
LVL 26

Expert Comment

by:Vahik
ID: 13614067
no those settings are right...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 13615397
Have you actually been through the process to flush the queues? What happens if you disconnect Exchange from the Internet and flush the queues? It takes a while - as I explain on my web site, ESM isn't very good at showing the true level of queues when there are a lot of messages to be processed. I am wondering if Exchange is still processing everything, and even though you have closed all the gaps, there are still messages being worked on.

Simon.
0
 

Author Comment

by:jamie177
ID: 13616103
I've actually taken an etheral capture while all of these settings are in place and seen the smtp traffic exchange from foreign servers.    Here's an smtp dialogue my server had with a remote host:

remote = server trying to relay
local = my exchange box


remote: 3630 > smtp [SYN] Seq=0 Ack=0
local:     smtp > 3630 [SYN, ACK] Seq=0 Ack=1
remote: 3630 > smtp [ACK] Seq=1 Ack=1           (classic 3 way handshake)
local:     Response: 220 hostname.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.21
remote: Command: HELO jdhouse.com
local:     Response: 250 hostname.com Hello [remote IP]
remote: [TCP Out-of-Order] Command: HELO jdhouse.com  (This is where it gets interesting.  Seq=1 Ack=121, Next Sequence number=19)
local:     smtp > 3630 [ACK]  Seq=169 Ack=19  (Is the out of order/sequence number jump odd or is it just me?)
remote: Command: MAIL FROM:<Helmut@jdhouse.com> seq=19, ack=169, next seq=51
local:     REsponse: 250 2.1.0 Helmut@jdhouse.com.....Sender Ok seq=169, ack=51, next seq=212
remote: Command: RCPT TO:<snyder@hostname.com>  (This looks like UCE coming to my server)
local:     Response: 250 2.1.5 snyder@hostname.com  (This user does not exist in my domain)
remote:  Command: DATA
local:     Response: 354 Start mail input; end with <CRLF>.<CRLF>
remote:  Message Body  (Garbage message with a story in it)
local:      smtp >3630 [Ack]
remote:  Message Body (more garbage)
local:      smtp >3630 [Ack]
remote:  EOM:
local:      Response: 250 2.6.0 <randomstring@hostname.com> Queued mail for delivery
remote:  Command: QUIT
then the session is torn down.

Next my server does a lookup on jdhouse.com and comes back with a different IP address then the remote host that sent the message.  Someone relayed the message to my server as a user at jdhouse.com.

(okay, to much detail above, I'll be more concise)
now my server starts an smtp conversation with remote2 (ip address that jdhouse resolves to)
and my postmaster sends a message to Helmut@jdhouse.com saying snyder@hostname.com does not exist.

I can't find the response from jdhouse.com, but I'm sure I then get a response saying Helmut@jdhouse.com does not exist which pitches a 7004 on my logs!

Ha! I think I put this all together while typing this response.  I guess to stop the 7004 errors, I need my server to stop sending postmaster messages back to sender addresses listed as FROM in UCE messages to non-existant users on my domain.  Does that make sense?  

How would I do that?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 13616306
It looks like an NDR attack.

Try filtering out non existant users.

http://www.amset.info/exchange/filterunknown.asp

See if that stops it.

Simon.
0
 

Author Comment

by:jamie177
ID: 13616354
Awesome!  I put the settings in place.  We'll let it cook for a while and see if the 7004s disapear.  The last 7004 to hit the logs was 2 minutes ago.  

I'll report back and hopefully close out the question!

Regards,

Jamie
0
 

Author Comment

by:jamie177
ID: 13623166
It's a done deal!  No more 7004 errors.  Thank you very much for your help Simon!  It was an NDR attack and the settings on your website tightened things up on my exchange server!  This will be the first thing I look for now if I run accross excessive 7004 errors in the future.

Regards,

Jamie
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question