Exchange mail delivery issues

Posted on 2009-05-01
Medium Priority
Last Modified: 2013-11-30
Over the last few days I have been seeing problems sending to certain destinations (iprimus.com.au carsales.com.au *.sa.gov..au clear.net.nz) with emails stuck in the outbound queue. Telnet to the affected hosts connects then drops the session for some reason, other domains I have tried are connecting fine and email to the majority of the Internets seems un-affected.

I have contacted carsales.com.au and clear.net.nz's mail folks and they aren't even seeing mail from me possibly pointing to a firewall issue.

Our mail server is hosted locally on a static IP business ADSL service (unfortunately no matching PTR) where it has sat happily for the last couple of years. It runs Exchange 2003 SP2 and 2k3 SBS with latest patches and servicepacks.

Diagnostic logging shows event ID's 4006 and 7010 of which I have read their corresponding eventid.net comments and KB articles but have had no luck with anything useful.

A check of all known RBL's turns up clean and initially Senderbase and other reputation checks turned up clean but earlier today (and a few times during the course of the day) our email volume has apparently jumped 300% which has no doubt tripped Ironport sensors. In the last couple of hours we have appeared on cbl.abuseat.org as well with the site claiming we had been infected by Cutwail (http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=144691)

I have checked all our AV installs and all of them have definitions that should cover that infection but I have still downbloaded and started a scan using Stinger of the most likely targets.

ISA is showing no port 25 traffic except from Exchange itself and none of the IP addresses or ports Cutwail is known to use are appearing in my live queries in ISA. My Cisco 870 is showing no large jump in firewall hits (int or ext) and interface traffic from my VLAN for our customer AP is showing no traffic (this is only important as far as this AP bypasses the ISA server)

cbl.atabuse.org is fairly adamant their detection is pretty full proof (as much as it can be) and the apparent jump is outbound mail has me paranoid about a possible compromised machine.

What have I missed, anyone had similar problems either relating to the virus or to the mail situation (In particular Ironport) ?

Note: I have also talked directly to Ironport about how their sensors work and if it was purely an increase in email volume or detected spam + email volume and they have confirmed the later and that our reputation as of earlier today was -2. Ironport by default is aparently configured to drop email from a host at -3. Unfortunately their sensors are just that and they have nothing more they can give me to narrow down the possible source of the problems.
Question by:SectorX4
  • 3
  • 3
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24277500
Read this article in FULL.

It has all necessary info for your issue. http://www.amset.info/exchange/spam-cleanup.asp
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24277506
1. Make sure your relay settings are set in such a way that only exchange server can send outside emails. That will take off emails fired from a compromised machine.

2. Increase logging on smtp service to find out, if there is any affected machine, doing an authenticated relay.

3. Chcek the queues to see the destination domains that email is going to. Do they appear to be normal domains which your staff will mail?

4. Check whether you have been blacklisted here http://www.mxtoolbox.com/blacklists.aspx

5. you will need a ptr record for your mx record ip address. Call your isp for it and it shouldn't take long. Most of the major ISPs like AOL will reject emails if you don't have a valid ptr record.

Everything is fully explained in the article posted above.

Author Comment

ID: 24291787

I have already read thew page (in full) and checked everything that was suggested.

1. All methods of relaying are denied as per http://www.abuse.net/relay.html and other tests specified on the first URL you posted.

2. Logging is already at maximum for SMTP Protocol

3. Yes they are domains we regularly email.as I have had users complain directly to me about them.

4.Seems we are listed on the follow RBL:

ivmSIP      Listed      LISTED      Return codes were:      240      391

Going to the imSVP site and doing a removal there shows us as not being listed though.

5. I have asked previously and since the IP space is owned by my ISP who assign it their own PTR they didn't want to change it.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 24300536
Overnight it looks like our Senderbase reputation has increased to Neutral (I have asked Senderbase for details on why it dropped in the first place) and telnet to the affected destinations is now working.

I have also convinced my ISP to create a PTR record for our domain.
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24303067
Only your ISP can create PTR records for your IP address. Some are absolute crap and won't accept this. But, you need to be persistent as no one else can do this.


Accepted Solution

SectorX4 earned 0 total points
ID: 24588650
Just to summarize this now closed issue.

I convinced my ISP to create a PTR record for our domain which is in place and propagated, eventually our email volume according to Sender base established.

Eventually our reputation found it's way back to good and the problems with the involved MX's have all but disappeared.

Since then I have configured Exchange to CC all bounces to myself for early warning on this sort of problem as opposed to looking through reams of Event Viewer logs.

The technician I had been talking to via email regarding this changed his mind regarding Iron Port's sensor network indicating that organizations can actually flag traffic as opposed to the fully automated volume metrics that I was previously told were probably the cause for the blocking on Iron Port devices.

At this point I'm still not sure what caused these problems and with the information I have it's possible our mail server/traffic was manually blocked with the result being propagated to other Iron Port devices somehow. This is far from an accurate resolution but that's all I got.

Moral of the story is to keep a close watch on your MX rep and unusual changes in volume/content/bounces.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Rules and regulations were devised in order to maintain the integrity of a system. However, interpretation of rules can be quite tricky.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question