Solved

Exchange Server Error 4.4.7

Posted on 2010-09-17
39
464 Views
Last Modified: 2012-05-10
Hello:  One of my clients starting getting these messages.  As an example: they send me an email one day and it works and the next start a new email to me and it spits out this message:

SBS 2003, and I have run the config wizard on it several times.

This seemed to start after their Qwest DSL modem died and it was replaced by another.  I made sure the server is DMZ'd.

"
From: System Administrator
>Sent: Thursday, September 09, 2010 4:38 PM
>To: XXXXXXX
>Subject: Undeliverable:Email Warning for all Pittock Employees
>
>Your message did not reach some or all of the intended recipients.
>
>      Subject:      Email Warning for all Pittock Employees
>      Sent:      9/9/2010 2:24 PM
>
>The following recipient(s) cannot be reached:
>
>      Josh Woods on 9/9/2010 4:38 PM
>            Could not deliver the message in the time limit specified.
>Please retry or contact your administrator.
>            <pittockmansion.org #4.4.7>
>
>      
Josh Woods
0
Comment
Question by:acmesupport
  • 19
  • 18
39 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Your problem may be related to the fact that the pittockmansion.org mail server is sending out it's name as pittockmansion.org and not mansion1.pittockmansion.org.  Here is an extract from a domain report on www.dnstuff.com:
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mansion1.pittockmansion.org claims to be host pittockmansion.org [but that host is at 216.251.43.98 (may be cached), not 63.229.140.153]
You can change this on the SMTP Virtual Server, Delivery Tab, Advanced Button.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Extract from http://support.microsoft.com/kb/284204
Numeric Code: 4.4.7

Possible Cause: The message in the queue has expired. The sending server tried to relay or deliver the message, but the action was not completed before the message expiration time occurred. This NDR may also indicate that a message header limit has been reached on a remote server or that some other protocol timeout occurred during communication with the remote server.
Troubleshooting: This code typically indicates an issue on the receiving server. Verify the validity of the recipient address, and verify that the receiving server is configured to receive messages correctly. You may have to reduce the number of recipients in the header of the message for the host that you are receiving this NDR from. If you resend the message, it is placed in the queue again. If the receiving server is on line, the message is delivered.
 
0
 

Author Comment

by:acmesupport
Comment Utility
That seems logical.  Under that setting it is "pittockmansion.org".  But when I run the stupid email config wizard it is set to mansion1.pittmansion.org but if I change that to pittockmansion.org the intranet goes down.

J
0
 

Author Comment

by:acmesupport
Comment Utility
What i meant was the "web cert" is set to mansion1.PMS.local.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Set it manually.  It should be mansion1.pittockmansion.org.  This macthes your MX record and Reverse DNS setting and it is essential that all 3 of these are matching.
The cert can say what it likes - it si not used for email transmission, although a certificate ending in .local wil mean you have other issues you need to address, such as Activesync not being able to work or RPC over HTTPs.
0
 

Author Comment

by:acmesupport
Comment Utility
Got it.  Made the change.  Ill update when I know more.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please also resolve your issue with Backscatter - where you are sending out NDR messages to spammers:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a63.229.140.153
Make sure you enable Recipient Filtering on your server too, otherwise you won't get off the blacklist:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
0
 

Author Comment

by:acmesupport
Comment Utility
Today there are more delayed messages.

XXXXXXXXX@usbakery.com on 9/20/2010 12:14 PM

            Could not deliver the message in the time limit specified.  Please retry or contact your administrator.

            <mansion1.pittockmansion.org #4.4.7>
0
 

Author Comment

by:acmesupport
Comment Utility
Recipient Filtering is on also.  What is the server doing to get on that black list?
0
 

Author Comment

by:acmesupport
Comment Utility
Backscatter reports:


This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs near 06.09.2010 19:34 CEST +/-1 minute.

You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
19.04.2009 02:34 CEST      listed      
18.09.2009 08:25 CEST      expired      
11.02.2010 02:56 CET      listed      
11.03.2010 03:25 CET      expired      
11.07.2010 18:11 CEST      listed      

A total of 12 Impacts were detected during this listing. Last was 06.09.2010 19:34 CEST +/- 1 minute.
Earliest date this IP can expire is 04.10.2010 19:34 CEST.


huh?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The good news is that your last listing date / time was on the 6th September - 2 weeks ago.
If you have Recipient Filtering enabled, then you should come off the blacklist on the 4th October automatically.  Until this time, you may have problems sending out mail.
When did you enable Recipient Filtering on your server?
0
 

Author Comment

by:acmesupport
Comment Utility
It has always been enabled.  Why would we be listed?  I find no errors in the logs as it suggests to have me look.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Well - the usual reason for being listed is that a spammer is sending emails to your server claiming to come from an email address that they have made up.  When your server receives the message and can't deliver it because the address is not valid, your server rejects it and sends a Non Delivery Report back to the email address it came from, which was made up.  Some of the made up addresses are genuine addresses that are set as traps to catch spam (they have never been advertised) and when an email hits the trap - the IP Address gets flagged as a spammer.
Do you have any Anti-Spam software on your server?
0
 

Author Comment

by:acmesupport
Comment Utility
No Anti-Spam software.  We have never sent emails out from fake email addresses and such.  Would an Anti-Spam software have prevented this?  Why?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I am not saying that you have sent out fake emails, only that your server received fake emails and that you didn't have Recipient Filtering enabled (or it was enabled and not working), and then your server sent out NDR messages to Spam Traps.
Anti-Spam software would most probably have helped you and I would recommend you install something on your server.
A very good and exceptionally priced piece of software (which I use personally) is Vamsoft ORF - www.vamsoft.com
You can trial it for 30-days to see how it works for you.  If you decide to trial it and need help setting it up - I am more than happy to help you.
0
 

Author Comment

by:acmesupport
Comment Utility
Thanks I will try that.  I am concerned that we will not be taken off that list as we have been on there since July.  What else is there to check?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
With Recipient Filtering enabled and something like Vamsoft ORF installed, you should not suffer the same problem.
Don't forget it has been 2 weeks since you were last listed.
If you like - drop me an email to alan @ it-eye.co.uk and I will see what Vamsoft ORF makes of your server / IP Address etc and this may highlight something else amiss.
0
 

Author Comment

by:acmesupport
Comment Utility
OK, I installed Vamsoft.  I'll see how it goes.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Don't forget - if you need any help with Vamsoft - feel free to ask.
It is eliminating 93% of mail happily for a customer I visited today and no complaints : )
0
 

Author Comment

by:acmesupport
Comment Utility
Will do!  How long should I wait to see if it resolves the delay issue?  The 2 weeks left on the blacklisting?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Ideally - yes.  If you want to drop me an email to the address above, I can see what my Vamsoft makes of your IP / Server / Environment configuration and see if there is abything obvious that I can see that is not already covered above.
0
 

Author Comment

by:acmesupport
Comment Utility
Just sent you an email.
0
 

Author Comment

by:acmesupport
Comment Utility
I received this response:


<alan@it-eye.co.uk>:
87.194.160.198 does not like recipient.
Remote host said: 550 5.2.1 Mailbox unavailable. Your IP address 67.18.21.3 is blacklisted using UCEPROTECT-1. Details: IP 67.18.21.3 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=67.18.21.3.
Giving up on 87.194.160.198.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - you are listed on 3 blacklists:
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a67.18.21.3
SORBS report:
Address: 67.18.21.3 Record Created: Fri Feb 26 15:49:49 2010 GMT Record Updated: Fri Aug 27 11:09:36 2010 GMT Additional Information: [ Updated via: Report 'o Matic ] Received: from gateway05.websitewelcome.com (gateway05.websitewelcome.com [67.18.21.3]) by banshee.isux.com (Postfix) with SMTP id 7462B108A00 for <[email]>; Fri, 27 Aug 2010 11:12:04 +0000 (UTC) Currently active and flagged to be published in DNS If you wish to request a delisting please do so through the Support System. Eligible for self delisting as only one spam occurance is recorded
UCEPROTECT report:
IP-InformationYour IP 67.18.21.3 is part of
AS
21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
and the Networks 67.18.0.0/15

Reverse DNS (PTR) exists and claimes to be: gateway05.websitewelcome.com

Forward DNS for gateway05.websitewelcome.com is: 69.56.148.14

WARNING: Forward-DNS does NOT match Reverse-DNS.
DNS is INCONSISTENT.
Please request your Admin or Provider to fix this.

Reverse DNS Report:
Reverse DNS for 67.18.21.3Location: United States [City: Dallas, Texas]

Preparation:
The reverse DNS entry for an IP is found by reversing the IP, adding it to "in-addr.arpa", and looking up the PTR record.
So, the reverse DNS entry for 67.18.21.3 is found by looking up the PTR record for
3.21.18.67.in-addr.arpa.
All DNS requests start by asking the root servers, and they let us know what to do next.
See How Reverse DNS Lookups Work for more information.

How I am searching:
Asking e.root-servers.net for 3.21.18.67.in-addr.arpa PTR record:  
       e.root-servers.net says to go to y.arin.net. (zone: 67.in-addr.arpa.)
Asking y.arin.net. for 3.21.18.67.in-addr.arpa PTR record:  
       y.arin.net [192.42.93.32] says to go to NS1.THEPLANET.COM. (zone: 18.67.in-addr.arpa.)
Asking NS1.THEPLANET.COM. for 3.21.18.67.in-addr.arpa PTR record:  Reports gateway05.websitewelcome.com. [from 207.218.247.135]

Answer:
67.18.21.3 PTR record: gateway05.websitewelcome.com. [TTL 86400s] [A=67.18.21.3, 67.18.22.93, 67.18.39.14, 67.18.44.15, 67.18.52.6, 67.18.55.14, 67.18.59.3, 67.18.103.7, 67.18.124.3, 67.18.125.8, 67.18.144.2, 69.56.148.14, 69.56.195.29, 69.93.35.13, 69.93.154.37, 69.93.164.10, 69.93.179.12, 69.93.243.11, 64.5.38.5, 64.5.50.2, 64.5.52.8, 67.18.1.3, 67.18.10.9, 67.18.14.14, 67.18.15.4, 67.18.16.77]
Are you sending mail out via a Smart Host (3rd party)?
0
 

Author Comment

by:acmesupport
Comment Utility
Is this from the email I sent you?  I sent that from josh@acmesupport.com not the pittockmansion.org
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Yes - from the email you sent me - based on the last post you made.
Can you please try to send to me from your pittockmansion.org server - then I can see what the problem from your server might be.
Thanks
Alan
0
 

Author Comment

by:acmesupport
Comment Utility
Ok, ill send a message from myname@mydomain.org
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Thanks - looking out for it.
Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Don't see anything yet - please let me know when it is on the way.
Alan
0
 

Author Comment

by:acmesupport
Comment Utility
here is what happened.


From: Administrator
Sent: Thursday, September 23, 2010 3:50 PM
To: Bill Norris
Subject: Delivery Status Notification (Delay)

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.

       alan+AEA-it-eye.co.uk
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Weird!  I saw your email hit my anti-spam software and then nothing arrived in my inbox.
So - your server may be stopping the flow of email before the flow is complete.
What Service Pack is Exchange currently on and have you installed KB950757? :
http://support.microsoft.com/kb/950757/
0
 

Author Comment

by:acmesupport
Comment Utility
Version 6.5 (Build 7226.6 SP1)

So should I upgrade to SP2?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Absolutely - I would definitely upgrade to SP2.
Once upgraded, please try to send me another test message and post here that you have sent one.
Thanks.
0
 

Author Comment

by:acmesupport
Comment Utility
Good I will. Can you tell me, do I use the normal exchange server sp2 upgrade or is there a special one?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Sorry - I missed the email notification.
Yes - just download and install the usual SP2 download from:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&displaylang=en
0
 

Author Comment

by:acmesupport
Comment Utility
Downloaded the SP2, installed and it it fixed!!!!  Thank you so much!!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Excellent - great news.
Thanks for the points
Alan
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now