Repetitive SMTP Event ID7002 Warning in Event Log

Hello all,

I have started receiving the following warning in the Application Event Log on my Exchange Server. I have done a fair amount of searching both here and on google but all the similar issues i find are with "rcpt" command whereas mine is with a "mail" command.

I am sure i am not having an NDR attack as my queues are not full etc. I am pretty sure i am not an open relay as i have relay turned off on the exchange box and all tests at are negative, i am also showing negative for blacklisting at, i also am happy with my DNS setup and seem to have no issues with it found at

I think that is everything you will need, the full message is below, it occurs very frequently and the worrying thing is the e-mail address listed is an actual existing mail address for a user on my domain and the ip address listed under *possibly forged hostname for* is my actual routers ip.This also seems to be playing havoc with my internet speed.Hope you guys can help me sort this. Many thanks.

This is an SMTP protocol warning log for virtual server ID 1, connection #61. The remote host "", responded to the SMTP command "mail" with "451 4.1.8 Possibly forged hostname for *my correct ip address*". The full command sent was "MAIL FROM:<>  ".  This may cause the connection to fail.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

are you able to deliver emails or do you experience some kind of problem?
your email server does it have static IP or Dynamic or if you send from behind NAT is NAT's router static or dynamic IP? do you have PTR record setup for your public address.
No1_ReggieAuthor Commented:
Sorry should have added that - to answer your questions.
1). Yes i am able to deliver messages absolutely no problem at all. We are having no bouncebacks from anywhere i am aware of.
2). NAT router is a static ip address.
3). I have a PTR  for the router - not too sure what you mean by PTR set up for our public ip address. Do you mean our public facing internet address - i.e. the address listed in the error message as the possible forged hostname?
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

What some email providers do they verify if your emails server ip address has PTR record setup. For example if you from your home or anywhere else outside of your network will type command
set type=mx   you get
now if you do lookup on
such as

you shoud get something  like
Name :

Which says that ptr pointer is set.
do nslookup on ip address of the email's servers ip address it will be in form
now the host name does not coincide with host name of your server thats what that message might state. it should not be a big deal. Try tellneting to your email server on port 25 first message is response from your email server with message 220  thats where warning arises I believe.
for example you telnet in to mail server on port 25 you get

but your servers host name is
so thats why you got warning.
No1_ReggieAuthor Commented:
Hi Newborn, i have tried telnetting into my mail server - the first message contains the correct name for my server - everything seems in order. I cannot send a mail using telnet because relaying is turned off, however i telnet in - using for arguments sake for my mailservers address so i do the following.

1). Open command prompt
2). type the following: telnet 25
3). recieve response: 220 MYMAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service,Version: 6.0.3790.1830 ready at  Thu, 31 Jan 2008 16:08:50 +0000

I presume this means my mailserver is set up correctly.

Incidently i also logged in to my home pc and did the mxtype and nslookup from there and again all the results i get are 100% correct regarding my mail server.

Should i take it to mean these messages are nothing important and just ignore them? I was worried when they started appearing that my network may have been compromised in some way.
HM i assume you should be fine. Plus error 451 states that that server has Requested action aborted: local error in processing so  I would assume that server has problem. I would do just a little more research and do nothing unless you will start getting bounce emails.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
or if you really worried just write email to their costumer support the company for that ip is

Is your Exchange server directly sending emails or do you relay through email server providers?
No1_ReggieAuthor Commented:
Many thanks newborn you were bang on - i have done some research and found a mail from my user continuiously trying to send to one of our customers, doing an mx lookup on that customer - guess who their host is. . . . iomart. These customers are having mail issues. I have removed the mail in question and all is fine now. Many thanks for pointing me in the right direction and your patience. Points well deserved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.