?
Solved

Undeliverable: Returned mail: see transcript for details

Posted on 2007-07-30
12
Medium Priority
?
2,330 Views
Last Modified: 2008-01-09
In the past month or so serveral people on my network say they are getting a : Undeliverable: Returned email from a email address that they have never seen before and they did not send an email to this address


      kmkweon@dongdo.com on 7/29/2007 8:52 AM
            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
            < mail.imct.net #4.4.7 X-Unix; 75>

not sure why people would get a returned email if they did not send it...maybe spam??
we use exchange server 2003, outlook 2003 and have a spam filter in place.
0
Comment
Question by:jeffsteffy
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:banks1850
ID: 19593238
Yes, spam is one possibility.  Spammers sometimes try to use "spoofed" addresses.  Most mail servers will reject these unless they come from the same ip address.  It could also be a rogue smtp server on your domain as well (this is usually caused by a virus or zombie machine).
0
 
LVL 8

Expert Comment

by:banks1850
ID: 19593244
OH, forgot to add.  If it is someone trying to spoof your address, not a ton you can do about it.  You can try to track the message, but usually that leads to a black hole.
0
 
LVL 10

Assisted Solution

by:abraham808
abraham808 earned 200 total points
ID: 19593314
Numeric Code: 4.4.7

Possible Cause: The message in the queue has expired. The sending server tried to relay or deliver the message, but the action was not completed before the message expiration time occurred. This NDR may also indicate that a message header limit has been reached on a remote server or that some other protocol timeout occurred during communication with the remote server.
Troubleshooting: This code typically indicates an issue on the receiving server. Verify the validity of the recipient address, and verify that the receiving server is configured to receive messages correctly. You may have to reduce the number of recipients in the header of the message for the host that you are receiving this NDR from. If you resend the message, it is placed in the queue again. If the receiving server is on line, the message is delivered.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Author Comment

by:jeffsteffy
ID: 19593511
got this from dnsstuff.com email test   mail.dongdo.com. - 61.85.178.131  [Successful connect: Got a good response [250 2.1.5 <kmkweon@dongdo.com>... Recipient ok]] (took 2.469 seconds)
how do i tell if it is a zombie machine, i use McAfee anti-virus/spyware through my sonicwall.

we do have distribution groups if someone request info about our product from our website the request is sent to someone here depending on what info is requested.
0
 
LVL 12

Expert Comment

by:NetAdmin2436
ID: 19593545
This is most likely spam and there's not much you can really do about it. What you are refering to is called 'backscatter'. Basically a spammer sends out spam to bogus@companyA.com with a spoofed address pointing back to you. The email server at companyA sends out a NDR to you. (if the admin was good, he would disable NDR)
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22116577.html?sfQueryTermInfo=1+backscatt+ndr
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22520233.html?sfQueryTermInfo=1+backscatt

You can be a good neighbor and prevent YOUR server from doing this to others, but not vice versa.


Hope this helps
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 19593746
hopefully i do not have zombie machine's, I have scanned all PC's and found no virus's, do i disable NDR?
0
 
LVL 12

Accepted Solution

by:
NetAdmin2436 earned 800 total points
ID: 19593963
You can disable your server from sending NDR's but your email server has to accept NDR's per RFC. So this doesn't stop the NDR's your currently getting. But it prevents your email server from annoying other people.

Normally your antispam software on your email server can be configured to not send NDR's. Exchange can also be configured not to send NDR's, but i'd check your antispam software first since the spam passes through it first, then if sent to exchange. What antispam software do you have? and is it running on your server or clients?

For exchange only (antispam software on clients)
Disable NDR on exchange:
From Exchange System Manager, Global Settings, Internet Message Format.
Double click on your right. Advanced tab. Uncheck Allow
non-delivery reports.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 19594113
i am using Symantec brightmail for anti-spam, it is running on the exchange server 2003.
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 200 total points
ID: 19594257
The best way to secure your network against zombie machines is to block port 25 on the firewall for all machines but the Exchange server. Then any compromised machine will show in the firewall logs.

Simon.
0
 
LVL 8

Assisted Solution

by:banks1850
banks1850 earned 800 total points
ID: 19594334
What Sembee said.  :)  Also, if you are worried, you can monitor traffic for a day or so using some protocol analyzer like ethereal  (www.ethereal.com).  you would set up a filter to look for port 25 originating internally and trying to send directly (going to your gateway), make sure you exclude your exchange server and any other valid smtp servers though or you would get false positives.  I still lean toward the spoofing though as i see it all the time on multiple locations and generally you would be having other issues along with this if you had zombies on your domain or virus issues (like other hosts blacklisting you and your users complaining about not being able to send emails).
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 19595318
Did a Spam Database Lookup at dnsstuff.com on my IP address and I am not listed. thats a good point about the blacklisting. I blocked port 25 on my sonicwall except for exchange server i will monitor that today.

Thanks  
0
 
LVL 8

Expert Comment

by:banks1850
ID: 19600440
also you can go here and check for being on blacklists.  http://www.mxtoolbox.com/blacklists.aspx  This place is pretty comprehensive.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month16 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question