• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Exchange 2003 7004 Errors in event log

I have an exchange 2003 server with SP1 installed on SBS 2003.  The server logs between 350 to 500 7004 errors a day.  Here is an example:

This is an SMTP protocol error log for virtual server ID 1, connection #5506. The remote host "195.186.18.144", responded to the SMTP command "rcpt" with "550 RCPT TO:<chousegs@bluewin.ch> User unknown ". The full command sent was "RCPT TO:<chousegs@bluewin.ch> ". This will probably cause the connection to fail. For more information, click http://www.microsoft.com/contentredirect.asp.

This looks an awefull lot like my server is trying relaying UCE to other servers.  I've read the eventid.net entry for 7004:
http://www.eventid.net/display.asp?eventid=7004&eventno=3510&source=MSExchangeTransport&phase=1

I've been to amset.info:
http://www.amset.info/exchange/spam-cleanup.asp
http://www.amset.info/exchange/smtp-relaysecure.asp 
and followed all the steps listed yet I still get the 7004s.  

I have tested that I am not an open relay.
I have followed the steps to determine if an authenticated user account is being used to relay, which it is not.
I have removed the ability of authenticated users to relay unless they are in the POP3 Relay group (described in the second link above) which is currently empty.

My server is a standalone SBS 2003 domain behind a PIX 501.  I have no fixup protocol smtp 25, access-list, and static statements in place to get the smtp traffic to and from the server.

Legitimate email is flowing fine, but this has been going on for to long and I need to isolate this problem and resolve it before I get black listed.  Please help :)
0
jamie177
Asked:
jamie177
  • 9
  • 6
  • 3
1 Solution
 
SembeeCommented:
If you look in the queues on your Exchange server - do you have a lot of email waiting to be sent out?

Simon.
0
 
jamie177Author Commented:
There were messages stacking up in the queues.  In an effort to keep the queues cleaned out I lowered the delay notification and expiriation time out to 15 minutes.  I know it's a bandaid and not the solution to the problem.  Unfortunately I am not well versed in exchange server management so I had to do what I had to do to keep business flowing.
0
 
SembeeCommented:
Ok.
I know you have been through my articles (I authored amset.info)... however lets check a couple of things as there are very few ways that you can open an Exchange server to relaying.

Have you got all authenticated relaying disabled?
Have you disabled ALL forms of relaying on SMTP? The common one is for people to allow relaying to their internal subnet which allows email coming from the firewall to be relayed as well.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
jamie177Author Commented:
Default SMTP Virtual Server --> Access Tab --> Relay Restrictions:
Only the list below (list is empty)
Unchecked: Allow All computers which successfully authenticate to relay
Grant or deny relay permissions to specific users or groups:  
Authenticated Users - Submit Permission
POP3 Relay(Security Group) - Submit & Relay Permission (Group is ready to use, but empty)

Are there any other area where relaying is granted/denied?

Thanks for helping me here Simon.

-Jamie
0
 
SembeeCommented:
Thats what it should be for SMTP VS.
Any SMTP Connectors on this machine? How are they configured?

Simon.
0
 
jamie177Author Commented:
General Tab:
Use DNS to route to each address space on this connector
Local Bridgeheads: (local server name)
Do not allow public folder referrals: unchecked

Address Space:
type: SMTP - Address * - Cost 1
Connector scope: entire organization

No connected routing groups

Delivery Restrictions:
By default messages from everyone are:
Accepted messages from: (empty)
Reject messages from: (empty)

Delivery Options:
Specify when messages are sent through this connector.
Connection time: always run

Advanced:
Send HELO instead of EHLO (unchecked)
Do not send ETRN/TURN
Outbound Security: Anonymous access

Let me know if there's any additional info I can provide.

Regards,

Jamie
0
 
VahikCommented:
in ur connector do u have allow "messages to be relayed to these domains" checked?....if u do this will allow relaying through ur exchange....just take it out...
0
 
SembeeCommented:
Vahik has mentioned the location where you need to check. It is on the "Address Space" tab.

Simon.
0
 
jamie177Author Commented:
No, that check box is not checked.  Any other place that I may have misconfigured which is allowing relaying?  I'm totaly stumped here.
0
 
VahikCommented:
this is strange????why dont u restart ur server.....i mean exchange server....
0
 
jamie177Author Commented:
The server has been rebooted serveral times while this problem has been present, but the 7004s persist... :(  I'm almost to the point where I want to uninstall/reinstall exchange 2003.  The only problem with that is I have alot of data in the companyweb that needs to be retained.

Any other ideas?
0
 
jamie177Author Commented:
Do the Advanced settings on the SMTP Connector have anything to do with it, specifically the outbound security:

Advanced:
Send HELO instead of EHLO (unchecked)
Do not send ETRN/TURN
Outbound Security: Anonymous access
0
 
VahikCommented:
no those settings are right...
0
 
SembeeCommented:
Have you actually been through the process to flush the queues? What happens if you disconnect Exchange from the Internet and flush the queues? It takes a while - as I explain on my web site, ESM isn't very good at showing the true level of queues when there are a lot of messages to be processed. I am wondering if Exchange is still processing everything, and even though you have closed all the gaps, there are still messages being worked on.

Simon.
0
 
jamie177Author Commented:
I've actually taken an etheral capture while all of these settings are in place and seen the smtp traffic exchange from foreign servers.    Here's an smtp dialogue my server had with a remote host:

remote = server trying to relay
local = my exchange box


remote: 3630 > smtp [SYN] Seq=0 Ack=0
local:     smtp > 3630 [SYN, ACK] Seq=0 Ack=1
remote: 3630 > smtp [ACK] Seq=1 Ack=1           (classic 3 way handshake)
local:     Response: 220 hostname.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.21
remote: Command: HELO jdhouse.com
local:     Response: 250 hostname.com Hello [remote IP]
remote: [TCP Out-of-Order] Command: HELO jdhouse.com  (This is where it gets interesting.  Seq=1 Ack=121, Next Sequence number=19)
local:     smtp > 3630 [ACK]  Seq=169 Ack=19  (Is the out of order/sequence number jump odd or is it just me?)
remote: Command: MAIL FROM:<Helmut@jdhouse.com> seq=19, ack=169, next seq=51
local:     REsponse: 250 2.1.0 Helmut@jdhouse.com.....Sender Ok seq=169, ack=51, next seq=212
remote: Command: RCPT TO:<snyder@hostname.com>  (This looks like UCE coming to my server)
local:     Response: 250 2.1.5 snyder@hostname.com  (This user does not exist in my domain)
remote:  Command: DATA
local:     Response: 354 Start mail input; end with <CRLF>.<CRLF>
remote:  Message Body  (Garbage message with a story in it)
local:      smtp >3630 [Ack]
remote:  Message Body (more garbage)
local:      smtp >3630 [Ack]
remote:  EOM:
local:      Response: 250 2.6.0 <randomstring@hostname.com> Queued mail for delivery
remote:  Command: QUIT
then the session is torn down.

Next my server does a lookup on jdhouse.com and comes back with a different IP address then the remote host that sent the message.  Someone relayed the message to my server as a user at jdhouse.com.

(okay, to much detail above, I'll be more concise)
now my server starts an smtp conversation with remote2 (ip address that jdhouse resolves to)
and my postmaster sends a message to Helmut@jdhouse.com saying snyder@hostname.com does not exist.

I can't find the response from jdhouse.com, but I'm sure I then get a response saying Helmut@jdhouse.com does not exist which pitches a 7004 on my logs!

Ha! I think I put this all together while typing this response.  I guess to stop the 7004 errors, I need my server to stop sending postmaster messages back to sender addresses listed as FROM in UCE messages to non-existant users on my domain.  Does that make sense?  

How would I do that?
0
 
SembeeCommented:
It looks like an NDR attack.

Try filtering out non existant users.

http://www.amset.info/exchange/filterunknown.asp

See if that stops it.

Simon.
0
 
jamie177Author Commented:
Awesome!  I put the settings in place.  We'll let it cook for a while and see if the 7004s disapear.  The last 7004 to hit the logs was 2 minutes ago.  

I'll report back and hopefully close out the question!

Regards,

Jamie
0
 
jamie177Author Commented:
It's a done deal!  No more 7004 errors.  Thank you very much for your help Simon!  It was an NDR attack and the settings on your website tightened things up on my exchange server!  This will be the first thing I look for now if I run accross excessive 7004 errors in the future.

Regards,

Jamie
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 9
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now