Solved

Event ID 3018 flooding event log

Posted on 2006-06-14
25
2,186 Views
Last Modified: 2008-01-09
Every 5-15 minutes or so my application log is flooded with this error or email address's just like it.


Type:            Error
Date:            6/14/2006
Time:            4:24:32 PM
Event:            3018
Source:            MSExchangeTransport
Category:      NDR
User:            N/A
Computer:      MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;jnt4q3108gptq@mail.workgroup.godebtfree.com (Message-ID <MAIL2KgFaRrTr8zo6uA00003bda@MAIL2.workgroup.godebtfree.com>).

Causes: This message indicates a DNS problem or an IP address configuration problem
 
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.

I have enabled filtering on recips not  in the directory on ems and applied it on the smtp virtual server. I am also running interscan message security for spam and such. Dont know if that would be causing the problem but i doubt it. also made sure my server is not open to relay. someone help :)

I also ran a virus scan and found no virus infections, and i disabled allow authenticated users to relay regardless.

rob
0
Comment
Question by:tccfadmin
  • 11
  • 8
  • 3
  • +2
25 Comments
 
LVL 4

Expert Comment

by:mkumar23
ID: 16907486
Check your SMTP Queue, if there are some messages stuk up.
0
 
LVL 3

Expert Comment

by:ppuro
ID: 16907700
What anti-virus you are using ? Check if port 25 is blocked by anti-virus or not? We can also try disabling anti-virus.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16907983
Did you enable tarpit as well?
http://support.microsoft.com/default.aspx?kbid=842851

Just enabling recipient filtering can make the problem worse if you don't enable tarpit.

It looks like an NDR attack, but you may have caught it with recipient filtering.

Simon.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16911679
After enabling recipient filtering I am also getting random event id's 3008 and 3015. I have disabled anti virus temporarily to see if that is causing the problem. If not I will enable tar pitting and then repost.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16912854
After enabling tar pitting the problem seems to be reduced quite a bit. I am only getting a few per hour now. Here are the last two ndr's i got.

Type:            Error
Date:            6/15/2006
Time:            11:50:15 AM
Event:            3018
Source:            MSExchangeTransport
Category:      NDR
User:            N/A
Computer:      MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;xyleena@libraryassociates.c (Message-ID <MAIL2Geq3v7dqeCWJy800000048@MAIL2.workgroup.godebtfree.com>).

Causes: This message indicates a DNS problem or an IP address configuration problem
 
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.


Type:            Error
Date:            6/15/2006
Time:            11:51:11 AM
Event:            3008
Source:            MSExchangeTransport
Category:      NDR
User:            N/A
Computer:      MAIL2
Description:
A non-delivery report with a status code of 5.0.0 was generated for recipient rfc822;BLANCA@pEOPLE.COM (Message-ID  <245301c69093$82f9a970$8532210a@workgroup.godebtfree.com>).

Cause:  This indicates a permanent failure. Possible causes :
1)No route is defined for a given address space. For example, an SMTP connector is configured, but this recipient address does not match the address spaces for which it routes mail.
2)Domain Name Server (DNS) returned an authoritative host not found for the domain.
3)The routing group does not have a connector defined û mail from one server in the routing group has no way to get to another routing group.
 
Solution: Verify that this error is not caused by a DNS lookup problem, and then check the address spaces configured on your STMP connectors. If you are delivering Internet mail through an SMTP connector,  consider adding an address space of type SMTP with value ô*ö (an asterisk) to one of the SMTP connectors to make routing possible.
Verify all routing groups are connected to each other through a routing group connector or another connector.

Should I just consider these to be normal errors now that there are currently only  few coming in or is there something else I need to do to stop these?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16913609
It may take a while for the queues to clear themselves out. Also you will get these sorts of messages normally, as your users make errors in the email addresses.

Simon.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16914299
Thanks for all your help sembee, and the problem is better but for some reason I feel something is not right still. here look at this.

Type:            Error
Date:            6/15/2006
Time:            2:41:26 PM
Event:            3018
Source:            MSExchangeTransport
Category:      NDR
User:            N/A
Computer:      MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;stefaniakirkendal@35e.rjf.com (Message-ID <MAIL2xOhl0vQ73OX2LM0000015b@MAIL2.workgroup.godebtfree.com>).

Causes: This message indicates a DNS problem or an IP address configuration problem
 
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.

Are these ndr's for outgoing emails or incoming?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16914590
As I said earlier, it will take a while for the messages to be flushed out of the queues. With the changes that you have made, leave it at least 48 hours before you starting getting concerned. SMTP messages start to time out after 48 hours. If the server is being targeted then you will notice in the queues.

Simon.
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16920493
> set type-mx
> set type=mx
> mail.workgroup.godebtfree.com


godebtfree.com
        primary name server = dns01.savvis.net
        responsible mail addr = dns.savvis.net.godebtfree.com
        serial  = 2005032400
        refresh = 3600 (1 hour)
        retry   = 1800 (30 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)


The mx records for this domain are not proper. The mail will be never sent. we need to find out who in your network is sending the emails..It might be a virus.. You must be getting a queue for this domain in the ESM. The point is how these emails have been sent from your domain. And following may be a good reason for this.

Somebody is spamming your domain(let say xyz.com is ur domain)
somebody send a mail to abc@xyz.com
now your exchange server check the ad and find no such user is ther ewith this name. SO what it tries to do is to send an NDR to the sender and it fails in htat. You get a message in event viewer.  try disabling NDR on your server for sometime.

Let me knwo if it helps
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16921174
thanks for the help on the last question. worked perfectly. now this one. Just to give you an update the errors have reduced a lot thanks to recipient filtering and tarpit but im still getting them and i know something is up. I check my msg queues and of course i have like 2 with 20 msgs or so all from my postmaster trying to send out failed delivery or whatever. Whats the best way to get rid of this?
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16921401
Well i am running out of time.. gottago to home and cook some food. Will getback to you tomorrow. i will get you the way to take care of this. sorry for now..:)

Cheers..
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16921409
thank you very much
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 104

Expert Comment

by:Sembee
ID: 16923306
For clearing the queues you have a couple of options.
You could just leave them to timeout - 48 hours later they will be gone.
Otherwise I have some cleanup techniques on my web site: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16943659
ok the problem has gotten really bad again with these 3018, 3015, 3008 errors. I have tarpitting on recipient filtering on what else can i do? the ndrs are flooding up worse then before.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16943717
I also now have a queue with over 340 msgs in it with all bad address verification responses. if i have recipient filtering on why are these msgs even being generated?

0
 
LVL 3

Expert Comment

by:ppuro
ID: 16944355
Did you try disabling anti-virus?
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16944762
yeah tried that. this is just getting annoying now :) i dont know what else i can do to make this stop. something must be getting missed here. i'm getting ndr's like 7 or 8 a minute now. all failures
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16945275
now im getting ndr's from my own domain. something bad is going on here. i turned off non deliverable reports. still continues to send them out.


Type:            Error
Date:            6/20/2006
Time:            2:50:44 PM
Event:            3018
Source:            MSExchangeTransport
Category:      NDR
User:            N/A
Computer:      MAIL2
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;t5-41q65349olg@mail.workgroup.godebtfree.com (Message-ID <MAIL2E5aHaZVrDs9aAO0000029f@MAIL2.workgroup.godebtfree.com>).

Causes: This message indicates a DNS problem or an IP address configuration problem
 
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 16946928
Those are NDRs that are being generated by the original message. You can't do anything about those. What you need to look at is the source of the message.

You have recipient filtering enabled?
You have tarpit enabled?
Have you restarted the SMTP service since those were enabled?

Have you reviewed your SMTP relaying settings to ensure that you aren't an open relay? http://www.amset.info/exchange/smtp-openrelay.asp

That includes authenticated relaying?
Have you changed your administrator password?

Simon.
0
 
LVL 4

Accepted Solution

by:
ansh_gupta earned 500 total points
ID: 16949615
Ok.. FOr sometime, can you disable NDR in the global settings of Exchange server?? Also check the badmail folder.. Its time to clean that as well. CLean the queues for that domain as well.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16955902
Disabling NDRs doesn't really deal with the problem. It just masks the issue and could cause you to loose some important email.

Your biggest client has just made a misspelling on an email address that is asking about a 2 million dollar contract.
You never get it.
The client doesn't know he made a mistake because there is no NDR.

What do I care - tccfadmin - you are the first person to go on to my blacklist. Well done.

Simon.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16959992
Simon,

not trying to piss you off. for whatever reason recipient filtering and tar pitting were not stopping the reverse ndr attack. If i leave them off for some time, eventually these guys are bound to stop. I think blacklisting me is a little extreme. I apologize if you feel offended.

rob
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16960063
I felt offended because despite putting in a lot of work you gave me ZERO points.
Now - I don't need the points, but it shows no appreciation for the work that I carried out trying to assist you.

We are all volunteers here, I don't get paid for the time and effort I put in to the site. As such the points system is the only way to show appreciation for the work carried out. Why should I help you again if you aren't going to appreciate my efforts?

There is obviously something else wrong with the system, as recipient filtering and tar pit does work. Tarpit doesn't actually do anything, other than protect the server.

Simon.
0
 
LVL 1

Author Comment

by:tccfadmin
ID: 16960089
whoa, i am so sorry. i had no idea i could give out points to different people. i apologize.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16960102
Its all in the help system.

http://www.experts-exchange.com/help.jsp#hi69
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now