Solved

Not sure what these messages are:

Posted on 2006-11-22
5
256 Views
Last Modified: 2010-03-06
Hi.

Our clients are receiving a number of NDR's for ficticious names BUT the correct domain names.

Below is an example of the error from the daily performance report.


Source                          Event ID    Last Occurrence     Total     Occurrences
MSExchangeTransport    7010         22/11/2006           04:14    35 *
This is an SMTP protocol log for virtual server ID 1, connection #106. The client at "82.81.218.121" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "helo |http://mail.oldartero.com:8889/cgi-bin/put". This will probably cause the connection to fail. For more information, click http://www.microsoft.com/contentredirect.asp.  
 
We did setup some monitoring on this server because we thought they were an open relay - but can remember where we set-up the monitoring or even if these NDR's are a result of that monitoring.

Either way, are these NDR's normal - is there a problem and can it be fixed????

Many thanks
Regards
Andy.
0
Comment
Question by:AndyKeen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 8

Expert Comment

by:susanzeigler
ID: 17998278
Can you post the contents of one of the NDR messages and how many they are getting?

My first inclination is simply to say they are generated by spammers who are attempting to send messages to users on that server using a from address in the same domain. It is a fairly common practice.
Message from: accounting@yourdomain.com
Message to: susan@yourdomain.com

Another possibility is that they are the victim of a Joe Job--a spammer using one of their email addresses in the from line. In that scenario, though, the number of NDRs generated is a much higher volume.

Recently I have even seen fake NDRs generated as the spam--it looks like it was sent from me to someone else and their mail server rejected it. Scrutiny of the header shows that it was not an NDR generated from an actual bounce.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 17998421
Hi Susan - Thanks for your info.

Below are two typical NDR's - note that the domain names are correct but the pre- @ is incorrect.



Your message did not reach some or all of the intended recipients.

      Subject:      Irene Deutsch/ALBD/HeavyStamping ist in Karenz
      Sent:      22/11/2006 15:02

The following recipient(s) could not be reached:

      fnlod@ABC.co.uk on 22/11/2006 15:07
            The message contains a content type that is not supported
            <ABC.co.uk #5.6.1 smtp;554 5.6.1 Body type not supported by Remote Host>


E.G. 2


Your message did not reach some or all of the intended recipients.

      Subject:      somewhat daily
      Sent:      21/11/2006 16:33

The following recipient(s) could not be reached:

      info@CDE-it.co.uk on 21/11/2006 18:07
            A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.  Contact your administrator.
            <ABC.co.uk #4.4.6>


Note - the domain name CDE-it.co.uk  (Changed) is a valid domain name as is ABC.co.uk (Changed) - the pre - @ is a valid name but more luck than judgement perhaps.


Hope this helps.

Regards
Andy.
0
 
LVL 8

Accepted Solution

by:
susanzeigler earned 500 total points
ID: 17999492
From the way you stated, it sounds like the from address in the original message that generated the NDR was valid and on the local server. Just to be safe, the next thing I would do would be to check the serverlog files to see if the messages shown in the NDR originated on the server or even passed through it. Sometimes a spam will hit the server, then be rejected, and then the NDR on the spam message generates another NDR because the original sending address wasn't valid (boy I hope that made sense).

One possibility is that there is a compromised computer on the network. More likely, it is just spam, but it is better to be careful.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCH2013 - publicFolders 4 48
Exchange 2016 4 64
Exchange 2016 - Archiving and Retention Policies 1 54
Export list of Exchange Online user's Photo 4 46
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question