Exchange mail delivery issues

Posted on 2009-05-01
Last Modified: 2013-11-30
Over the last few days I have been seeing problems sending to certain destinations ( * with emails stuck in the outbound queue. Telnet to the affected hosts connects then drops the session for some reason, other domains I have tried are connecting fine and email to the majority of the Internets seems un-affected.

I have contacted and's mail folks and they aren't even seeing mail from me possibly pointing to a firewall issue.

Our mail server is hosted locally on a static IP business ADSL service (unfortunately no matching PTR) where it has sat happily for the last couple of years. It runs Exchange 2003 SP2 and 2k3 SBS with latest patches and servicepacks.

Diagnostic logging shows event ID's 4006 and 7010 of which I have read their corresponding comments and KB articles but have had no luck with anything useful.

A check of all known RBL's turns up clean and initially Senderbase and other reputation checks turned up clean but earlier today (and a few times during the course of the day) our email volume has apparently jumped 300% which has no doubt tripped Ironport sensors. In the last couple of hours we have appeared on as well with the site claiming we had been infected by Cutwail (

I have checked all our AV installs and all of them have definitions that should cover that infection but I have still downbloaded and started a scan using Stinger of the most likely targets.

ISA is showing no port 25 traffic except from Exchange itself and none of the IP addresses or ports Cutwail is known to use are appearing in my live queries in ISA. My Cisco 870 is showing no large jump in firewall hits (int or ext) and interface traffic from my VLAN for our customer AP is showing no traffic (this is only important as far as this AP bypasses the ISA server) is fairly adamant their detection is pretty full proof (as much as it can be) and the apparent jump is outbound mail has me paranoid about a possible compromised machine.

What have I missed, anyone had similar problems either relating to the virus or to the mail situation (In particular Ironport) ?

Note: I have also talked directly to Ironport about how their sensors work and if it was purely an increase in email volume or detected spam + email volume and they have confirmed the later and that our reputation as of earlier today was -2. Ironport by default is aparently configured to drop email from a host at -3. Unfortunately their sensors are just that and they have nothing more they can give me to narrow down the possible source of the problems.
Question by:SectorX4
    LVL 24

    Expert Comment

    Read this article in FULL.

    It has all necessary info for your issue.
    LVL 24

    Expert Comment

    1. Make sure your relay settings are set in such a way that only exchange server can send outside emails. That will take off emails fired from a compromised machine.

    2. Increase logging on smtp service to find out, if there is any affected machine, doing an authenticated relay.

    3. Chcek the queues to see the destination domains that email is going to. Do they appear to be normal domains which your staff will mail?

    4. Check whether you have been blacklisted here

    5. you will need a ptr record for your mx record ip address. Call your isp for it and it shouldn't take long. Most of the major ISPs like AOL will reject emails if you don't have a valid ptr record.

    Everything is fully explained in the article posted above.
    LVL 2

    Author Comment


    I have already read thew page (in full) and checked everything that was suggested.

    1. All methods of relaying are denied as per and other tests specified on the first URL you posted.

    2. Logging is already at maximum for SMTP Protocol

    3. Yes they are domains we regularly I have had users complain directly to me about them.

    4.Seems we are listed on the follow RBL:

    ivmSIP      Listed      LISTED      Return codes were:      240      391

    Going to the imSVP site and doing a removal there shows us as not being listed though.

    5. I have asked previously and since the IP space is owned by my ISP who assign it their own PTR they didn't want to change it.
    LVL 2

    Author Comment

    Overnight it looks like our Senderbase reputation has increased to Neutral (I have asked Senderbase for details on why it dropped in the first place) and telnet to the affected destinations is now working.

    I have also convinced my ISP to create a PTR record for our domain.
    LVL 24

    Expert Comment

    Only your ISP can create PTR records for your IP address. Some are absolute crap and won't accept this. But, you need to be persistent as no one else can do this.

    LVL 2

    Accepted Solution

    Just to summarize this now closed issue.

    I convinced my ISP to create a PTR record for our domain which is in place and propagated, eventually our email volume according to Sender base established.

    Eventually our reputation found it's way back to good and the problems with the involved MX's have all but disappeared.

    Since then I have configured Exchange to CC all bounces to myself for early warning on this sort of problem as opposed to looking through reams of Event Viewer logs.

    The technician I had been talking to via email regarding this changed his mind regarding Iron Port's sensor network indicating that organizations can actually flag traffic as opposed to the fully automated volume metrics that I was previously told were probably the cause for the blocking on Iron Port devices.

    At this point I'm still not sure what caused these problems and with the information I have it's possible our mail server/traffic was manually blocked with the result being propagated to other Iron Port devices somehow. This is far from an accurate resolution but that's all I got.

    Moral of the story is to keep a close watch on your MX rep and unusual changes in volume/content/bounces.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
    An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now