tccfadmin
asked on
Event ID 3018 flooding event log
Every 5-15 minutes or so my application log is flooded with this error or email address's just like it.
Type: Error
Date: 6/14/2006
Time: 4:24:32 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;jnt4q3108gptq@mail.
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
I have enabled filtering on recips not in the directory on ems and applied it on the smtp virtual server. I am also running interscan message security for spam and such. Dont know if that would be causing the problem but i doubt it. also made sure my server is not open to relay. someone help :)
I also ran a virus scan and found no virus infections, and i disabled allow authenticated users to relay regardless.
rob
Type: Error
Date: 6/14/2006
Time: 4:24:32 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;jnt4q3108gptq@mail.
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
I have enabled filtering on recips not in the directory on ems and applied it on the smtp virtual server. I am also running interscan message security for spam and such. Dont know if that would be causing the problem but i doubt it. also made sure my server is not open to relay. someone help :)
I also ran a virus scan and found no virus infections, and i disabled allow authenticated users to relay regardless.
rob
Check your SMTP Queue, if there are some messages stuk up.
What anti-virus you are using ? Check if port 25 is blocked by anti-virus or not? We can also try disabling anti-virus.
Did you enable tarpit as well?
http://support.microsoft.com/default.aspx?kbid=842851
Just enabling recipient filtering can make the problem worse if you don't enable tarpit.
It looks like an NDR attack, but you may have caught it with recipient filtering.
Simon.
http://support.microsoft.com/default.aspx?kbid=842851
Just enabling recipient filtering can make the problem worse if you don't enable tarpit.
It looks like an NDR attack, but you may have caught it with recipient filtering.
Simon.
ASKER
After enabling recipient filtering I am also getting random event id's 3008 and 3015. I have disabled anti virus temporarily to see if that is causing the problem. If not I will enable tar pitting and then repost.
ASKER
After enabling tar pitting the problem seems to be reduced quite a bit. I am only getting a few per hour now. Here are the last two ndr's i got.
Type: Error
Date: 6/15/2006
Time: 11:50:15 AM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;xyleena@libraryasso
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Type: Error
Date: 6/15/2006
Time: 11:51:11 AM
Event: 3008
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.0.0 was generated for recipient rfc822;BLANCA@pEOPLE.COM (Message-ID <245301c69093$82f9a970$853
Cause: This indicates a permanent failure. Possible causes :
1)No route is defined for a given address space. For example, an SMTP connector is configured, but this recipient address does not match the address spaces for which it routes mail.
2)Domain Name Server (DNS) returned an authoritative host not found for the domain.
3)The routing group does not have a connector defined û mail from one server in the routing group has no way to get to another routing group.
Solution: Verify that this error is not caused by a DNS lookup problem, and then check the address spaces configured on your STMP connectors. If you are delivering Internet mail through an SMTP connector, consider adding an address space of type SMTP with value ô*ö (an asterisk) to one of the SMTP connectors to make routing possible.
Verify all routing groups are connected to each other through a routing group connector or another connector.
Should I just consider these to be normal errors now that there are currently only few coming in or is there something else I need to do to stop these?
Type: Error
Date: 6/15/2006
Time: 11:50:15 AM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;xyleena@libraryasso
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Type: Error
Date: 6/15/2006
Time: 11:51:11 AM
Event: 3008
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.0.0 was generated for recipient rfc822;BLANCA@pEOPLE.COM (Message-ID <245301c69093$82f9a970$853
Cause: This indicates a permanent failure. Possible causes :
1)No route is defined for a given address space. For example, an SMTP connector is configured, but this recipient address does not match the address spaces for which it routes mail.
2)Domain Name Server (DNS) returned an authoritative host not found for the domain.
3)The routing group does not have a connector defined û mail from one server in the routing group has no way to get to another routing group.
Solution: Verify that this error is not caused by a DNS lookup problem, and then check the address spaces configured on your STMP connectors. If you are delivering Internet mail through an SMTP connector, consider adding an address space of type SMTP with value ô*ö (an asterisk) to one of the SMTP connectors to make routing possible.
Verify all routing groups are connected to each other through a routing group connector or another connector.
Should I just consider these to be normal errors now that there are currently only few coming in or is there something else I need to do to stop these?
It may take a while for the queues to clear themselves out. Also you will get these sorts of messages normally, as your users make errors in the email addresses.
Simon.
Simon.
ASKER
Thanks for all your help sembee, and the problem is better but for some reason I feel something is not right still. here look at this.
Type: Error
Date: 6/15/2006
Time: 2:41:26 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;stefaniakirkendal@3
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Are these ndr's for outgoing emails or incoming?
Type: Error
Date: 6/15/2006
Time: 2:41:26 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;stefaniakirkendal@3
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Are these ndr's for outgoing emails or incoming?
As I said earlier, it will take a while for the messages to be flushed out of the queues. With the changes that you have made, leave it at least 48 hours before you starting getting concerned. SMTP messages start to time out after 48 hours. If the server is being targeted then you will notice in the queues.
Simon.
Simon.
> set type-mx
> set type=mx
> mail.workgroup.godebtfree.
godebtfree.com
primary name server = dns01.savvis.net
responsible mail addr = dns.savvis.net.godebtfree.
serial = 2005032400
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
The mx records for this domain are not proper. The mail will be never sent. we need to find out who in your network is sending the emails..It might be a virus.. You must be getting a queue for this domain in the ESM. The point is how these emails have been sent from your domain. And following may be a good reason for this.
Somebody is spamming your domain(let say xyz.com is ur domain)
somebody send a mail to abc@xyz.com
now your exchange server check the ad and find no such user is ther ewith this name. SO what it tries to do is to send an NDR to the sender and it fails in htat. You get a message in event viewer. try disabling NDR on your server for sometime.
Let me knwo if it helps
> set type=mx
> mail.workgroup.godebtfree.
godebtfree.com
primary name server = dns01.savvis.net
responsible mail addr = dns.savvis.net.godebtfree.
serial = 2005032400
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
The mx records for this domain are not proper. The mail will be never sent. we need to find out who in your network is sending the emails..It might be a virus.. You must be getting a queue for this domain in the ESM. The point is how these emails have been sent from your domain. And following may be a good reason for this.
Somebody is spamming your domain(let say xyz.com is ur domain)
somebody send a mail to abc@xyz.com
now your exchange server check the ad and find no such user is ther ewith this name. SO what it tries to do is to send an NDR to the sender and it fails in htat. You get a message in event viewer. try disabling NDR on your server for sometime.
Let me knwo if it helps
ASKER
thanks for the help on the last question. worked perfectly. now this one. Just to give you an update the errors have reduced a lot thanks to recipient filtering and tarpit but im still getting them and i know something is up. I check my msg queues and of course i have like 2 with 20 msgs or so all from my postmaster trying to send out failed delivery or whatever. Whats the best way to get rid of this?
Well i am running out of time.. gottago to home and cook some food. Will getback to you tomorrow. i will get you the way to take care of this. sorry for now..:)
Cheers..
Cheers..
ASKER
thank you very much
For clearing the queues you have a couple of options.
You could just leave them to timeout - 48 hours later they will be gone.
Otherwise I have some cleanup techniques on my web site: http://www.amset.info/exchange/spam-cleanup.asp
Simon.
You could just leave them to timeout - 48 hours later they will be gone.
Otherwise I have some cleanup techniques on my web site: http://www.amset.info/exchange/spam-cleanup.asp
Simon.
ASKER
ok the problem has gotten really bad again with these 3018, 3015, 3008 errors. I have tarpitting on recipient filtering on what else can i do? the ndrs are flooding up worse then before.
ASKER
I also now have a queue with over 340 msgs in it with all bad address verification responses. if i have recipient filtering on why are these msgs even being generated?
Did you try disabling anti-virus?
ASKER
yeah tried that. this is just getting annoying now :) i dont know what else i can do to make this stop. something must be getting missed here. i'm getting ndr's like 7 or 8 a minute now. all failures
ASKER
now im getting ndr's from my own domain. something bad is going on here. i turned off non deliverable reports. still continues to send them out.
Type: Error
Date: 6/20/2006
Time: 2:50:44 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;t5-41q65349olg@mail
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Type: Error
Date: 6/20/2006
Time: 2:50:44 PM
Event: 3018
Source: MSExchangeTransport
Category: NDR
User: N/A
Computer: MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;t5-41q65349olg@mail
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Those are NDRs that are being generated by the original message. You can't do anything about those. What you need to look at is the source of the message.
You have recipient filtering enabled?
You have tarpit enabled?
Have you restarted the SMTP service since those were enabled?
Have you reviewed your SMTP relaying settings to ensure that you aren't an open relay? http://www.amset.info/exchange/smtp-openrelay.asp
That includes authenticated relaying?
Have you changed your administrator password?
Simon.
You have recipient filtering enabled?
You have tarpit enabled?
Have you restarted the SMTP service since those were enabled?
Have you reviewed your SMTP relaying settings to ensure that you aren't an open relay? http://www.amset.info/exchange/smtp-openrelay.asp
That includes authenticated relaying?
Have you changed your administrator password?
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Disabling NDRs doesn't really deal with the problem. It just masks the issue and could cause you to loose some important email.
Your biggest client has just made a misspelling on an email address that is asking about a 2 million dollar contract.
You never get it.
The client doesn't know he made a mistake because there is no NDR.
What do I care - tccfadmin - you are the first person to go on to my blacklist. Well done.
Simon.
Your biggest client has just made a misspelling on an email address that is asking about a 2 million dollar contract.
You never get it.
The client doesn't know he made a mistake because there is no NDR.
What do I care - tccfadmin - you are the first person to go on to my blacklist. Well done.
Simon.
ASKER
Simon,
not trying to piss you off. for whatever reason recipient filtering and tar pitting were not stopping the reverse ndr attack. If i leave them off for some time, eventually these guys are bound to stop. I think blacklisting me is a little extreme. I apologize if you feel offended.
rob
not trying to piss you off. for whatever reason recipient filtering and tar pitting were not stopping the reverse ndr attack. If i leave them off for some time, eventually these guys are bound to stop. I think blacklisting me is a little extreme. I apologize if you feel offended.
rob
I felt offended because despite putting in a lot of work you gave me ZERO points.
Now - I don't need the points, but it shows no appreciation for the work that I carried out trying to assist you.
We are all volunteers here, I don't get paid for the time and effort I put in to the site. As such the points system is the only way to show appreciation for the work carried out. Why should I help you again if you aren't going to appreciate my efforts?
There is obviously something else wrong with the system, as recipient filtering and tar pit does work. Tarpit doesn't actually do anything, other than protect the server.
Simon.
Now - I don't need the points, but it shows no appreciation for the work that I carried out trying to assist you.
We are all volunteers here, I don't get paid for the time and effort I put in to the site. As such the points system is the only way to show appreciation for the work carried out. Why should I help you again if you aren't going to appreciate my efforts?
There is obviously something else wrong with the system, as recipient filtering and tar pit does work. Tarpit doesn't actually do anything, other than protect the server.
Simon.
ASKER
whoa, i am so sorry. i had no idea i could give out points to different people. i apologize.