smalleysmalley
asked on
Exchange 2003 Error Code NDR 3018
All of a sudden all of our outbound emails are getting stuck in the smtp queues. All the different queues (hotmail, aol, gmail, etc) are loaded with emails being sent to the same fake person outside of our company. I've gone through and deleted thousands of the emails but I'm not making any progress. Here is an example of one of the errors:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 7/3/2012
Time: 12:57:29 AM
User: N/A
Computer: MALLEYS00
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;c.lungren@sbcglobal
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Data:
0000: ef 02 04 c0 ï..À
I did nslookup on our exhange server and it appears to be OK: malleys00.chocolate.local and the server is 10.0.0.15
I just did a test and sent an email in from my gmail account and that is now stuck.
We were having problems that all the space on our server's C: disappeared and Exchange stopped working. I've gone in and moved about a gig of space, then mounted the "store" and that seemed to clear up. Now I'm wondering if maybe sometime of spam issue is what closed us down. Our IT guy was let go on Friday afternoon so I can't get details regarding the space issue.
How many queues (and how big) are normal? Right now I have a yahoo queue with 11,780, an aol queue 9,500, and a hotmail 9,000 (among others).
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 7/3/2012
Time: 12:57:29 AM
User: N/A
Computer: MALLEYS00
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;c.lungren@sbcglobal
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
For more information, click http://www.microsoft.com/contentredirect.asp.
Data:
0000: ef 02 04 c0 ï..À
I did nslookup on our exhange server and it appears to be OK: malleys00.chocolate.local and the server is 10.0.0.15
I just did a test and sent an email in from my gmail account and that is now stuck.
We were having problems that all the space on our server's C: disappeared and Exchange stopped working. I've gone in and moved about a gig of space, then mounted the "store" and that seemed to clear up. Now I'm wondering if maybe sometime of spam issue is what closed us down. Our IT guy was let go on Friday afternoon so I can't get details regarding the space issue.
How many queues (and how big) are normal? Right now I have a yahoo queue with 11,780, an aol queue 9,500, and a hotmail 9,000 (among others).
Last Comment
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The sender of all the emails in all of the queues is the same: paulettebeal@yahoo.com
I do not know who this is...so it sounds like what you explained above (someone is trying to use our server to send junkmail).
What can I do now?
I do not know who this is...so it sounds like what you explained above (someone is trying to use our server to send junkmail).
What can I do now?
Run a SMTP Test using www.mxtoolbox.com to discover if your server is an open relay.
ASKER
it won't let me install it on the server
www.mxtoolbox.com is a web service. There's nothing to install. You can run the SMTP Test from the site from any PC (no need to use the server). Let me know.
ASKER
I've been so busy the last few days with work that I didn't get a chance to close this question. This is pretty much what I did and it is fixed:
http://ali.vg/2011/02/check-whether-you-are-under-an-ndr-attack-and-fix-in-exchange2003/
Afterward, I did have some legitimate email stuck in the queue...that was because we were blacklisted. I sent a request (directions on their websites) to get off the lists and as of now I am off the ones I sent the note to. I just double-checked and there is a new one stuck from a different domain, so this may happen a few times...but it is definitely fixed.
Thank you for your help!
http://ali.vg/2011/02/check-whether-you-are-under-an-ndr-attack-and-fix-in-exchange2003/
Afterward, I did have some legitimate email stuck in the queue...that was because we were blacklisted. I sent a request (directions on their websites) to get off the lists and as of now I am off the ones I sent the note to. I just double-checked and there is a new one stuck from a different domain, so this may happen a few times...but it is definitely fixed.
Thank you for your help!
ASKER
I've been having this problem over and over and each time it is with some new address. I believe it is the dnr attack, but why would it keep happening? I put each address is my "block" list but I never know about it until there is already a problem. Is there a better way to fix this? I did run the mxtoolbox tool and it said we are not an open relay. THANKS
Blocking the individual address wont help as each attach usually uses a random address.
You need to identify the source and block it if possible.
Did you use SMTP logging to identify the root cause? SMTP loggin logs all communication between systems and would let you search for one of the messages you know are an issue. you can work out from that how someone is doing this.
If you are sure you have relaying off I would guess the junkmail is pretending to come from your own addresses. Best way to stop that is to set up an SPF record so your own server can identify messages from your internal system and external systems trying to pretend to be you.
You need to identify the source and block it if possible.
Did you use SMTP logging to identify the root cause? SMTP loggin logs all communication between systems and would let you search for one of the messages you know are an issue. you can work out from that how someone is doing this.
If you are sure you have relaying off I would guess the junkmail is pretending to come from your own addresses. Best way to stop that is to set up an SPF record so your own server can identify messages from your internal system and external systems trying to pretend to be you.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Event Type: Error
Event Source: MSExchangeSA
Event Category: General
Event ID: 5007
Date: 7/3/2012
Time: 8:34:20 AM
User: N/A
Computer: MALLEYS00
Description:
An error occurred during the message tracking decode operation. error from file: f:\tisp2\admin\src\libs\rp
For more information, click http://www.microsoft.com/contentredirect.asp.