No1_Reggie
asked on
Repetitive SMTP Event ID7002 Warning in Event Log
Hello all,
I have started receiving the following warning in the Application Event Log on my Exchange Server. I have done a fair amount of searching both here and on google but all the similar issues i find are with "rcpt" command whereas mine is with a "mail" command.
I am sure i am not having an NDR attack as my queues are not full etc. I am pretty sure i am not an open relay as i have relay turned off on the exchange box and all tests at http://www.abuse.net/ are negative, i am also showing negative for blacklisting at http://www.mxtoolbox.com, i also am happy with my DNS setup and seem to have no issues with it found at http://www.dnsstuff.com.
I think that is everything you will need, the full message is below, it occurs very frequently and the worrying thing is the e-mail address listed is an actual existing mail address for a user on my domain and the ip address listed under *possibly forged hostname for* is my actual routers ip.This also seems to be playing havoc with my internet speed.Hope you guys can help me sort this. Many thanks.
This is an SMTP protocol warning log for virtual server ID 1, connection #61. The remote host "62.128.193.140", responded to the SMTP command "mail" with "451 4.1.8 Possibly forged hostname for *my correct ip address*". The full command sent was "MAIL FROM:<myuser.myusersurname
I have started receiving the following warning in the Application Event Log on my Exchange Server. I have done a fair amount of searching both here and on google but all the similar issues i find are with "rcpt" command whereas mine is with a "mail" command.
I am sure i am not having an NDR attack as my queues are not full etc. I am pretty sure i am not an open relay as i have relay turned off on the exchange box and all tests at http://www.abuse.net/ are negative, i am also showing negative for blacklisting at http://www.mxtoolbox.com, i also am happy with my DNS setup and seem to have no issues with it found at http://www.dnsstuff.com.
I think that is everything you will need, the full message is below, it occurs very frequently and the worrying thing is the e-mail address listed is an actual existing mail address for a user on my domain and the ip address listed under *possibly forged hostname for* is my actual routers ip.This also seems to be playing havoc with my internet speed.Hope you guys can help me sort this. Many thanks.
This is an SMTP protocol warning log for virtual server ID 1, connection #61. The remote host "62.128.193.140", responded to the SMTP command "mail" with "451 4.1.8 Possibly forged hostname for *my correct ip address*". The full command sent was "MAIL FROM:<myuser.myusersurname
newborn1281
are you able to deliver emails or do you experience some kind of problem?
your email server does it have static IP or Dynamic or if you send from behind NAT is NAT's router static or dynamic IP? do you have PTR record setup for your public address.
ASKER
Sorry should have added that - to answer your questions.
1). Yes i am able to deliver messages absolutely no problem at all. We are having no bouncebacks from anywhere i am aware of.
2). NAT router is a static ip address.
3). I have a PTR for the router - not too sure what you mean by PTR set up for our public ip address. Do you mean our public facing internet address - i.e. the address listed in the error message as the possible forged hostname?
1). Yes i am able to deliver messages absolutely no problem at all. We are having no bouncebacks from anywhere i am aware of.
2). NAT router is a static ip address.
3). I have a PTR for the router - not too sure what you mean by PTR set up for our public ip address. Do you mean our public facing internet address - i.e. the address listed in the error message as the possible forged hostname?
What some email providers do they verify if your emails server ip address has PTR record setup. For example if you from your home or anywhere else outside of your network will type command
nslookup
set type=mx
google.com you get 216.239.32.10
now if you do lookup on 216.239.32.10
such as
nslookup 216.239.32.10
you shoud get something like
Name : ns1.google.com
Address 216.239.32.10
Which says that ptr pointer is set.
nslookup
set type=mx
google.com you get 216.239.32.10
now if you do lookup on 216.239.32.10
such as
nslookup 216.239.32.10
you shoud get something like
Name : ns1.google.com
Address 216.239.32.10
Which says that ptr pointer is set.
do nslookup on ip address of the email's servers ip address it will be in form hostname.domain.com
now the host name does not coincide with host name of your server thats what that message might state. it should not be a big deal. Try tellneting to your email server on port 25 first message is response from your email server with message 220 hostname.domain.com thats where warning arises I believe.
for example you telnet in to mail server on port 25 you get
220 mail.xxx.com
but your servers host name is mail25.xxx.xom
so thats why you got warning.
now the host name does not coincide with host name of your server thats what that message might state. it should not be a big deal. Try tellneting to your email server on port 25 first message is response from your email server with message 220 hostname.domain.com thats where warning arises I believe.
for example you telnet in to mail server on port 25 you get
220 mail.xxx.com
but your servers host name is mail25.xxx.xom
so thats why you got warning.
ASKER
Hi Newborn, i have tried telnetting into my mail server - the first message contains the correct name for my server - everything seems in order. I cannot send a mail using telnet because relaying is turned off, however i telnet in - using for arguments sake mymailserver@mydomain.com for my mailservers address so i do the following.
1). Open command prompt
2). type the following: telnet mymailserver.mydomain.com 25
3). recieve response: 220 MYMAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service,Version: 6.0.3790.1830 ready at Thu, 31 Jan 2008 16:08:50 +0000
I presume this means my mailserver is set up correctly.
Incidently i also logged in to my home pc and did the mxtype and nslookup from there and again all the results i get are 100% correct regarding my mail server.
Should i take it to mean these messages are nothing important and just ignore them? I was worried when they started appearing that my network may have been compromised in some way.
1). Open command prompt
2). type the following: telnet mymailserver.mydomain.com 25
3). recieve response: 220 MYMAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service,Version: 6.0.3790.1830 ready at Thu, 31 Jan 2008 16:08:50 +0000
I presume this means my mailserver is set up correctly.
Incidently i also logged in to my home pc and did the mxtype and nslookup from there and again all the results i get are 100% correct regarding my mail server.
Should i take it to mean these messages are nothing important and just ignore them? I was worried when they started appearing that my network may have been compromised in some way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
or if you really worried just write email to their costumer support the company for that ip is http://www.iomarthosting.com/
Is your Exchange server directly sending emails or do you relay through email server providers?
Is your Exchange server directly sending emails or do you relay through email server providers?
ASKER
Many thanks newborn you were bang on - i have done some research and found a mail from my user continuiously trying to send to one of our customers, doing an mx lookup on that customer - guess who their host is. . . . iomart. These customers are having mail issues. I have removed the mail in question and all is fine now. Many thanks for pointing me in the right direction and your patience. Points well deserved.