jwhetstone
asked on
Sporadic Duplicate Internal Emails
Using SBS 2003, Exchange 2003 SP2, Trend Micro Client/Server/Messaging Security 3.6. There is no pattern for when it occurs, but users occassionally receive a duplicate email from another internal recipient. If it occurs with external recipients, noone has reported it. Message Tracking is enabled on the Exchange Server. The last time it occurred, there appears to be two messages with different message id's sent to the same user from another user at the same time (though the message tracking center does not reveal the subject line). The sender only had one instance of the message in their sent items folder. Neither user has any rules that would cause a duplicate.
I have not seen this problem with other setups running the same software/versions, and the problem occurs infrequently, so I am hesitant to disable antivirus on Exchange. I am getting enough of a complaint, though, that I need to try to find a resolution. Any thoughts are greatly appreciated!
I have not seen this problem with other setups running the same software/versions, and the problem occurs infrequently, so I am hesitant to disable antivirus on Exchange. I am getting enough of a complaint, though, that I need to try to find a resolution. Any thoughts are greatly appreciated!
ASKER
Thanks for the tip on enabling the subject display.
Double-checked the AV settings in Trend; all Exchange folders are excluded from the file-level AV, however, there was a scheduled scan on the IS scheduled monthly on Sundays. Though I don't think it has anything to do with the problem, I have disabled the scheduled scan. For good measure, I have also added .edb, .stm, .log, and .chk file types to the AV exclusion list.
It seems the problem has been narrowed to emails originating from one user. This particular user does daily maintenance on Sent Items, so I question whether there was only a single instance of the duplicate email that occurred yesterday in the Sent Items folder. I have requested that they retain all messages in Sent Items until we an resolve the problem. They may be using cached exchange, so I am also going to exclude .ost file types from the desktop AV group.
Double-checked the AV settings in Trend; all Exchange folders are excluded from the file-level AV, however, there was a scheduled scan on the IS scheduled monthly on Sundays. Though I don't think it has anything to do with the problem, I have disabled the scheduled scan. For good measure, I have also added .edb, .stm, .log, and .chk file types to the AV exclusion list.
It seems the problem has been narrowed to emails originating from one user. This particular user does daily maintenance on Sent Items, so I question whether there was only a single instance of the duplicate email that occurred yesterday in the Sent Items folder. I have requested that they retain all messages in Sent Items until we an resolve the problem. They may be using cached exchange, so I am also going to exclude .ost file types from the desktop AV group.
Are you using the POP3 Connector? If so, this is a normal behavior.
What happens is that the POP3 host will create a separate message for each person in the cc field without fully modifying the headers. Then, Exchange downloads these messages and re-reads the headers to make it's own copies of messages for each cc. Details are here:
http://support.microsoft.com/kb/264249
There's no real way to avoid this unless you have the sender use a distribution list address such as group@yourcompany.com. You would then have to create the Distribution Group in your Server Management Console.
Alternatively, why not switch to SMTP mail? The POP3 connector is really designed to just be a transition tool to allow you time to switch to SMTP email anyhow. You can read more about how to do that here: http://sbsurl.com/pop2smtp
Jeff
TechSoEasy
What happens is that the POP3 host will create a separate message for each person in the cc field without fully modifying the headers. Then, Exchange downloads these messages and re-reads the headers to make it's own copies of messages for each cc. Details are here:
http://support.microsoft.com/kb/264249
There's no real way to avoid this unless you have the sender use a distribution list address such as group@yourcompany.com. You would then have to create the Distribution Group in your Server Management Console.
Alternatively, why not switch to SMTP mail? The POP3 connector is really designed to just be a transition tool to allow you time to switch to SMTP email anyhow. You can read more about how to do that here: http://sbsurl.com/pop2smtp
Jeff
TechSoEasy
ASKER
No, the POP3 connector is not in use.
An odd thing occurred with this same server yesterday- due to previous Windows updates, the server was restarted. They are using an external company for spam filtering, so I changed the SMTP server connection settings to only allow connections from that company's IP range. After restarting the SMTP service, users reported receiving various read receipts and undeliverables as old as two months. They had never previously received these messages. Reviewing the message tracking center indicated these messages were processed on this day, but the headers of the messages revealed the date they were actually sent (up to two months prior).
At this point, I am questioning the integrity of the queues, the SmallBusiness SMTP connector, or possibly the Exchange antivirus component of Trend Micro C/S/M Security 3.6.
I am going to delete and recreate the SMTP connector. Is there a way to rebuild the queues?
An odd thing occurred with this same server yesterday- due to previous Windows updates, the server was restarted. They are using an external company for spam filtering, so I changed the SMTP server connection settings to only allow connections from that company's IP range. After restarting the SMTP service, users reported receiving various read receipts and undeliverables as old as two months. They had never previously received these messages. Reviewing the message tracking center indicated these messages were processed on this day, but the headers of the messages revealed the date they were actually sent (up to two months prior).
At this point, I am questioning the integrity of the queues, the SmallBusiness SMTP connector, or possibly the Exchange antivirus component of Trend Micro C/S/M Security 3.6.
I am going to delete and recreate the SMTP connector. Is there a way to rebuild the queues?
Rebuilding the queues? Are they not empty?
To delete and recreate the SBS SMTP Connector you just delete it and then rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email).
If they are using an external SPAM filtering service, then make sure that TrendMicro's SPAM or Content filter isn't enabled. But does this service also provide AV? If so, and if you've restricted receiving from only their servers, you don't need to be running AV on your Exchange server at all. So you can effectively remove the Trend Micro Messaging Security Agent from your server.
Also check to make sure that the users don't have any special settings in Outlook for specific users that might send email in a different format which may cause the message to be sent via both Exchange (locally) and via SMTP through the external SPAM service and back again.
You can use EXInsight to watch for this. The trial version is good for 15 days... www.exinsight.com
Jeff
TechSoEasy
To delete and recreate the SBS SMTP Connector you just delete it and then rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email).
If they are using an external SPAM filtering service, then make sure that TrendMicro's SPAM or Content filter isn't enabled. But does this service also provide AV? If so, and if you've restricted receiving from only their servers, you don't need to be running AV on your Exchange server at all. So you can effectively remove the Trend Micro Messaging Security Agent from your server.
Also check to make sure that the users don't have any special settings in Outlook for specific users that might send email in a different format which may cause the message to be sent via both Exchange (locally) and via SMTP through the external SPAM service and back again.
You can use EXInsight to watch for this. The trial version is good for 15 days... www.exinsight.com
Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the link, Simon- I think that is exactly what happened in this instance with the influx of undeliverables.
Thank you for your suggestions, too, Jeff. I am hesitant to totally remove the Messaging Security agent; the spam filtering service does provide AV for incoming emails, but does nothing for outgoing or other items introduced into the information store from other sources, so I would prefer to maintain the internal layer of protection.
I've got to wonder if the what the two issues are interconnected. I will apply the hotfix and monitor. We can consider this one closed for now.
Thanks again for all the input.
Thank you for your suggestions, too, Jeff. I am hesitant to totally remove the Messaging Security agent; the spam filtering service does provide AV for incoming emails, but does nothing for outgoing or other items introduced into the information store from other sources, so I would prefer to maintain the internal layer of protection.
I've got to wonder if the what the two issues are interconnected. I will apply the hotfix and monitor. We can consider this one closed for now.
Thanks again for all the input.
Unless you configure Trend Micro's settings from the defaults, it's not scanning outgoing or other items introduced into the information store. But the basic OfficeScan IS protecting you from those things by virtue of scanning every file accessed on any machine that has TrendMicro installed.
Jeff
TechSoEasy
Jeff
TechSoEasy
AV software is the usual cause of this. Make sure that any file level AV is not scanning the Exchange directories.
Simon.