• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

Repetitive SMTP Event ID7002 Warning in Event Log

Hello all,

I have started receiving the following warning in the Application Event Log on my Exchange Server. I have done a fair amount of searching both here and on google but all the similar issues i find are with "rcpt" command whereas mine is with a "mail" command.

I am sure i am not having an NDR attack as my queues are not full etc. I am pretty sure i am not an open relay as i have relay turned off on the exchange box and all tests at http://www.abuse.net/ are negative, i am also showing negative for blacklisting at http://www.mxtoolbox.com, i also am happy with my DNS setup and seem to have no issues with it found at http://www.dnsstuff.com.

I think that is everything you will need, the full message is below, it occurs very frequently and the worrying thing is the e-mail address listed is an actual existing mail address for a user on my domain and the ip address listed under *possibly forged hostname for* is my actual routers ip.This also seems to be playing havoc with my internet speed.Hope you guys can help me sort this. Many thanks.

This is an SMTP protocol warning log for virtual server ID 1, connection #61. The remote host "62.128.193.140", responded to the SMTP command "mail" with "451 4.1.8 Possibly forged hostname for *my correct ip address*". The full command sent was "MAIL FROM:<myuser.myusersurname@mydomain.com>  ".  This may cause the connection to fail.
0
No1_Reggie
Asked:
No1_Reggie
  • 6
  • 3
1 Solution
 
newborn1281Commented:
are you able to deliver emails or do you experience some kind of problem?
0
 
newborn1281Commented:
your email server does it have static IP or Dynamic or if you send from behind NAT is NAT's router static or dynamic IP? do you have PTR record setup for your public address.
0
 
No1_ReggieAuthor Commented:
Sorry should have added that - to answer your questions.
1). Yes i am able to deliver messages absolutely no problem at all. We are having no bouncebacks from anywhere i am aware of.
2). NAT router is a static ip address.
3). I have a PTR  for the router - not too sure what you mean by PTR set up for our public ip address. Do you mean our public facing internet address - i.e. the address listed in the error message as the possible forged hostname?
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
newborn1281Commented:
What some email providers do they verify if your emails server ip address has PTR record setup. For example if you from your home or anywhere else outside of your network will type command
nslookup
set type=mx
google.com   you get 216.239.32.10
now if you do lookup on 216.239.32.10
such as
nslookup 216.239.32.10  

you shoud get something  like
Name : ns1.google.com
Address 216.239.32.10

Which says that ptr pointer is set.
0
 
newborn1281Commented:
do nslookup on ip address of the email's servers ip address it will be in form hostname.domain.com
now the host name does not coincide with host name of your server thats what that message might state. it should not be a big deal. Try tellneting to your email server on port 25 first message is response from your email server with message 220 hostname.domain.com  thats where warning arises I believe.
for example you telnet in to mail server on port 25 you get
220 mail.xxx.com  

but your servers host name is mail25.xxx.xom
so thats why you got warning.
0
 
No1_ReggieAuthor Commented:
Hi Newborn, i have tried telnetting into my mail server - the first message contains the correct name for my server - everything seems in order. I cannot send a mail using telnet because relaying is turned off, however i telnet in - using for arguments sake mymailserver@mydomain.com for my mailservers address so i do the following.

1). Open command prompt
2). type the following: telnet mymailserver.mydomain.com 25
3). recieve response: 220 MYMAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service,Version: 6.0.3790.1830 ready at  Thu, 31 Jan 2008 16:08:50 +0000

I presume this means my mailserver is set up correctly.

Incidently i also logged in to my home pc and did the mxtype and nslookup from there and again all the results i get are 100% correct regarding my mail server.

Should i take it to mean these messages are nothing important and just ignore them? I was worried when they started appearing that my network may have been compromised in some way.
0
 
newborn1281Commented:
HM i assume you should be fine. Plus error 451 states that that server has Requested action aborted: local error in processing so  I would assume that server has problem. I would do just a little more research and do nothing unless you will start getting bounce emails.
0
 
newborn1281Commented:
or if you really worried just write email to their costumer support the company for that ip is http://www.iomarthosting.com/

Is your Exchange server directly sending emails or do you relay through email server providers?
0
 
No1_ReggieAuthor Commented:
Many thanks newborn you were bang on - i have done some research and found a mail from my user continuiously trying to send to one of our customers, doing an mx lookup on that customer - guess who their host is. . . . iomart. These customers are having mail issues. I have removed the mail in question and all is fine now. Many thanks for pointing me in the right direction and your patience. Points well deserved.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now