Solved

Exchange 2007 - NDR sending to internal AND external for 1x user

Posted on 2014-04-10
9
745 Views
Last Modified: 2014-04-22
Hi All,

From just one user mailbox so far, whenever an email is sent to either internal or external recipients, I receive a NDR -
Undeliverable: Delivery has failed to these recipients or distro lists:
monitor1@domain.com.au
Generalting server: exch.domain.local
monitor1@domain.com.au
#550 5.1.1 RESOLVER.ADR.RecipNotFound; no found ##

HOWEVER -
1.  The emails are delivered successfully to both internal or external recipients
2.  The email monitor1@domain.local wasn't included as a recipient.  It doesn't exist, and from my historical records, has never been a mailbox in domain in the last 3 months.  This only started happening today.

There is no email forwarding on this mailbox.

The only thing I can think is it is related to the postmaster logging, but then you would think this would happen for other mailboxes.

Any ideas ?
0
Comment
Question by:moo_c_o_w
  • 3
  • 3
  • 2
9 Comments
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Just a thought....
As the address is monitoring.....
It looks like an application tries to send some monitoring emails?
At least you have a sender address.
As the mail reaches some targets, I would assume, that possibly the application tries to send it to several targets, but at least one fails, or there exist a distribution list, and some of the targets in the distibution list does not exist anymore.

You may have a look at the mail header of a mail, which is delivered, maybe you can isolate this way the sending server and the route, how it flows.
0
 
LVL 15

Expert Comment

by:jrhelgeson
Comment Utility
Enable message tracking to monitor the mail flows. This will help identify exactly where, when and how those NDR's are being created and sent.

Here is a link that covers the subject quite well and should at least get you started:
http://exchangeserverpro.com/exchange-2010-message-tracking/
0
 

Author Comment

by:moo_c_o_w
Comment Utility
thanks eenookami.

And thanks jrhelgeson.  I think your answer would have led me to discover the fix.

The issue was quite strange and would like some feed back.  As mentioned, there has been no monitor1@domain mailbox for at least a year.  I noticed an enabled transport rule for the problematic sending mailbox.  When I clicked on it, there was a warning about corruption.  When I edited the transport rule, there was no mailbox selected.

I'm a little concerned, because the monitor mailbox that the transport rule was forwarding outbound email was deleted over a year ago, however, the NDR notifications only started a few days ago ?

I will get the exact corruption warning I got when I am next in the office.

Has anyone else experienced this ?
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Have you cahnged something in the settings? Or applied an update?

That the rule produces an error is explainable as the rule stays even an used address or mailbox is deleted.

The question is, why you get an NDR now and not before.
There are settings in the global settings for the server to suppress NDRs send to the outside world, so possible that these settings were changed?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:moo_c_o_w
Comment Utility
Hi Bembi,

Yeah I read that a roll up caused something similar... but not in this case.  No updates / patches.  Also, no changes to mailboxes either.

What you are saying appears correct Bembi.  The transport rule was still enabled, simply with no forwarding mailbox configured.

We just aren't sure why it appeared all of a sudden.

Can someone explain the best way to confirm when a mailbox was removed ?
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 250 total points
Comment Utility
The solution is to install Exchange 2007 SP3 Update Rollup 3, according to Microsoft:

http://support.microsoft.com/kb/2448291
"Object <transport rule name> has been corrupted and it is in an inconsistent state" warning message when you view a transport rule on an Exchange Server 2007 SP3 server
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 250 total points
Comment Utility
At least from my imagination, if nothing at all changed, even none of the automatic updates,
(have also WSUS in mind) it sounds unusual, but most of the time there is an explanation.  I just woul dtake a look again on the mail headers, from the mail hat reaches the users and the NDR what comes back.

If a mail is sent to an unknown user, Exchange sends an NDR by default. The NDRs are usually in the senders mailbox. If nobody has got an NDR, either the NDR went to nowhereor was never produced due a bug.

But even if obviously nothing is changed, there is something going on in the database, have in mind that a mailbox is not directly deleted when you remove it what may influence the behaviour, if exchange one day really cleans it up. Just one of the possibilities, but I guess you can only really follwow up such behaviours, if you now, when the monitor1 mailbox was deleted, just to get some ideads of time scopes. This is just one example, if there in a kind of error in the functionality, it can even be, that just after a defined time, the functionality changed to to other internal processes.

At least I can imagine something in this direction.

Can you exclude that somebody changed some settings on the sending mailbox?
0
 

Author Comment

by:moo_c_o_w
Comment Utility
Thanks jrhelgeson.  Thanks Bembi.

jrhelgeson - we currently have sp3 roll up 11.  Thanks for link - it sound very similar.  My current roll up supersedes the suggested rollup.

Bembi - I know I should probably just call it a day, however, I am VERY sure that nothing changed.  The removal / disconnect policy is like 1 day, so the NDR's should have started as soon as the monitor1 mailbox was removed.  Of course, the reason I'd have liked an explanation is in case the behaviour indicates a bigger problem.

I will be splitting points to you both.  Just final comments.  And thanks again.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now