syedavalli
asked on
MSExchangeIS Event ID 9667 Failed to create a new named property for database
How do I resolve this error in MS Exchange 2003? There are some articles that say this could be a possible DoS attack. The following is from the Event log.
Failed to create a new named property for database "First Storage Group\Mailbox Store (email Server name)" because the number of named properties reached the quota limit (8192).
User attempting to create the named property: "SYSTEM"
Named property GUID: 00020386-0000-0000-c000-00
Named property name/id: "X-Saloon"
Whow is trying to create what? and what is X-Saloon
Failed to create a new named property for database "First Storage Group\Mailbox Store (email Server name)" because the number of named properties reached the quota limit (8192).
User attempting to create the named property: "SYSTEM"
Named property GUID: 00020386-0000-0000-c000-00
Named property name/id: "X-Saloon"
Whow is trying to create what? and what is X-Saloon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Understandably the amount of information on this flaw is limited. Microsoft don't want to make this kind of information public. The best I can gather is that it uses a large number of X-headers in the email message. X-headers have a legitimate use in email systems and are used to flag messages often for some other application to be able to read and deal with the message. Look at email messages from any of the large emailers (CNET for example) and you will see X-headers.
Whether it is an attack or not is debatable. It may also be a misconfigured email message or SMTP server that is looping a certain property. I haven't physically seen it before and it isn't that common.
Microsoft are the best people to ask about this... the article is fairly new and they may well be working on something.
Simon.
Whether it is an attack or not is debatable. It may also be a misconfigured email message or SMTP server that is looping a certain property. I haven't physically seen it before and it isn't that common.
Microsoft are the best people to ask about this... the article is fairly new and they may well be working on something.
Simon.
I just started to recevie this error on my system. It appears that custom X-headers are added as properties to each store on the server. Microsoft explains what is doing here:
http://technet.microsoft.c
Looks like you have to create a new datastore move all the data, recreate the old one then move it all back to fix it...
They then link to Event ID: 9667 here:
http://technet.microsoft.c
Sounds like there are only 8192 entries available for unauthenticated users, but there is a hard limit of 32,766, which means that you would have to generate a lot of internal custom X-headers before your datastore just dies. We're a company with only 60 users, so we probably arn't in that situation, whereas an ISP could have serious issues if they authenticate users for sending mail.
With all the spam out there putting in their own X-headers, I think Microsoft should address the issue, before everyone's server has this problem. I'm seeing a lot of these headers coming in and getting rejected.
http://technet.microsoft.c
Looks like you have to create a new datastore move all the data, recreate the old one then move it all back to fix it...
They then link to Event ID: 9667 here:
http://technet.microsoft.c
Sounds like there are only 8192 entries available for unauthenticated users, but there is a hard limit of 32,766, which means that you would have to generate a lot of internal custom X-headers before your datastore just dies. We're a company with only 60 users, so we probably arn't in that situation, whereas an ISP could have serious issues if they authenticate users for sending mail.
With all the spam out there putting in their own X-headers, I think Microsoft should address the issue, before everyone's server has this problem. I'm seeing a lot of these headers coming in and getting rejected.
Does anyone know where the information for 2003 went? This URL doesn't work any more. http://support.microsoft.com/default.aspx?kbid=820379 I found it referenced in a technet article but the link there didn't work either.
ASKER