Email Arriving Repeatedly

sstoyer
sstoyer used Ask the Experts™
on
Good afternoon!  I've run into an interesting issue where one of our users is recieving an email repeatedly.  From looking at the message tracking the email was originally delivered to them yesterday at 12:10 am and has shown up again rougly once every 20 minutes since 1:13 am.  The message tracking log for the message is looping the following entry each time:

SMTP: message submitted to Advanced Queueing
SMTP: started message submission to advanced queue
SMTP: message submitted to categorizer
SMTP:message catogerized and queued for routing
SMTP: message queued for local delevery
SMTP:message delivred localy to (email address)
SMTP:Store Driver: message delivered locally to store to (email address)

After looking around on here it seems like it could be either a rule or AV related.  I've checked the rule angle and don't see anything that could be causing this.  As for AV, we're running Virusscan Enterprise + Antispyware Enterprise 8.7.0i on the server.  I've made some minor tweaks to it for exchange but worry that I'm missing something since we're having this issue.  Any ideas?

Also, this is for Exchange 2003.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
George SasIT Engineer

Commented:
Log on as the user.
To be sure he has no rules set just run the outlook with the parameters : /cleanclientrules and /cleanserverrules  (!!!!! This will clean all his rules !!! )

You might also check if another user has access to his mailbox and has set up some kind of rule or some delegate in his outlook.

Author

Commented:
Ok, delivered instructions for the user to run those commands (they're out of the office atm, makes this kinda thing even more interesting to troubleshoot).  Will update the thread once we see where that gets us.

Author

Commented:
Looks like the outlook commands didn't take, message is still showing up.  I have come up with some additional errors that may help though.  Looks like whenever the message is sent to the user I'm getting these two errors on the exchange server:

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7519
Date:            7/20/2009
Time:            11:23:06 PM
User:            N/A
Computer:      Server
Description:
The originating IP address of message with ID <****> could not be determined based on its Received headers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7515
Date:            7/20/2009
Time:            11:28:13 PM
User:            N/A
Computer:      TPIMASTER
Description:
An error occurred while Microsoft Exchange Intelligent Message Filter attempted to filter a message with ID  <****>, P1 From smtp:sender@company.com and Subject  <Message Subject>. This message will not be filtered. The error code is 0x800710f0.

For more information, click http://www.microsoft.com/contentredirect.asp.

All the info is pointing at the message in question so looks like the filtering is kicking it back for some reason.  any way around this?

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

George SasIT Engineer

Commented:
Hmmm , interesting.
Is this the only message that gets re-delivered over and over ?
You could just freeze the queue , find the message and delete it and then it will be gone but would be interesting to see why is doing this.

Might be generated by a web server or some code in an application and then your filtering is trying to bounce it ?

Author

Commented:
This is the only one that's coming back up.  At this point I'd be happy to just get rid of the message.  How would I go about freezing the queue and so forth?
George SasIT Engineer

Commented:
Open your Exchange System Manager , go to the server and check the queue.
Check the one for your local domain , right click it and froze it.
then double click it and find the bugged message , right click on it and say delete without NDR.
then unfreeze the queue again.

Author

Commented:
Doesn't look like it's there.  All the ones associated with the local domain are listed at 0 messages.  It went out again about 10 minutes ago so had to have happened while I was in there looking.

Just to make sure I'm doing this right, went into system manager then went to Domain>Administrative Groups>First Administrative Group>MyServer>Queues

George SasIT Engineer

Commented:
Yes , you are right.
Look there for the queue for your local domain or "Messages Queued for Deffered Delivery" or "Messages Waiting to be Routed" or one of the other local queues.

Author

Commented:
Ok I've found those queues but there aren't any messages listed in there.  Will I need to freeze the queue and wait for it to show up?
George SasIT Engineer

Commented:
If you freeze the queue it will not come up ... might be stuck somewhere else.
Alternatively you could look under your Exchange folder on the disk drive , after the "Mailroot\vsi1 \Queue"
You can find all the queued messages there. You can use outlook express to open them and find the problematic one. (remember to stop the SMTP service before you go and look trough them)

Author

Commented:
Checked under there and still no luck.  
IT Engineer
Commented:

Author

Commented:
The message is over 3mb so that would explain why the imf error is coming up, although not sure if that would result in it being re-transmitted like it is.  Just heard that we've got another message from the same sender that's doing the same thing.  Common factor here is that it also has pdf attachments that are over 3mb in size.  

I checked the filtering addresses and everything looks legit, got all our smtp addresses listed.  Last thing I've done is configure all the AV exclusions in McAfee in case that's burning us down.  Looks like the last message the went out happened before I made those changes, so have to see what effect that had on things.

Author

Commented:
I've disabled intelligent message filtering on our smtp traffic in lea of the errors we're getting to see if that is in some way responsible for what's going on.  Will have to wait a few hours and see what happens.
George SasIT Engineer

Commented:
K , let's wait then :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial