Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1503
  • Last Modified:

Microsoft blocking all emails sent to from my mail relay

Running Exchange 2010 SP1 RU6.  Received complaints from my users unable to send mail to their hotmail account.  Verified that we were not listed in any RBLs.  Filled out the form on microsoft's website and they indicated that there was abusive/suspicious behavior coming from my mail relay, that we were namespace mining.  They gave the example of:

Time of abuse:  2014-04-24 09:16:00 and 2014-04-25 09:18:00
Total RCPT To commands sent: 6579
Total email Sent: 214

I used Get-Messagetrackinglog to find all mail sent to @hotmail accounts during this period, but it does not tell me the RCPT To attempts.

Is there any way to search the tracking logs for RCPT To commands?  I'm trying to track down what could be causing this.
  • 2
  • 2
  • 2
  • +2
1 Solution
Darrell PorterEnterprise Business Process ArchitectCommented:
First, you need to configure Exchange to send NDRs to a mailbox
See which is also applicable to 2010.

Also, review the information contained within
which is also applicable to monitoring NDRs in 2010.

Configure your firewall so that only the Exchange server can send SMTP mail on port 25.  All other systems should be sending email through the Exchange server.  Log any attempts by other devices and have your logging system send you alerts immediately until this issue is resolved.

Allowing any machine on the inside to initiate traffic on port 25 going outbound is asking to get RBLd.

Configure your firewall so that traffic directed to port 25 only goes to the Exchange server.  Log any other attempts for later review.
Gareth GudgerCommented:
You may wish to have your ISP create a PTR record that matches your IP back to your banner - for example

Also, you may wish to look into creating an SPF record that tells who is authorized to send mail as Lastly, how are you sending mail?

Are you sending through a filtering service or appliance? For $2 per user/per month I normally recommend getting Microsoft's Exchange Online Protection to scan all inbound and outbound messages for viruses and spam. Keeps it all out of your network and does not consume your bandwidth.
gobears1294Author Commented:
The firewall is set up to only allow the exchange server to communicate on port 25.  Our external DNS has a ptr record and an SPF record.  I had our IT Security folks check out the firewall logs and it does show 6000+ commands sent in a 4 hour period to microsoft's servers.  I was able to look at the connection log and get the session IDs for all these connections (see below for a sample).  My issue is, I don't know how to correlate the session IDs with a user or application server IP so I can figure out who performed these commands.

#Fields: date-time      session      source      Destination      direction      description
2014-04-25T13:19:39.205Z      08D0EAB0C25C4885      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.283Z      08D0EAB0C25C4885      SMTP      >[,,,,,,,,,,,,,,],[65.55.92....
2014-04-25T13:19:39.330Z      08D0EAB0C25C4885      SMTP      >      Established connection to
2014-04-25T13:19:39.767Z      08D0EAB0C25C4885      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:39.767Z      08D0EAB0C25C4888      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:39.830Z      08D0EAB0C25C4888      SMTP      >      Established connection to
2014-04-25T13:19:40.439Z      08D0EAB0C25C4888      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:40.439Z      08D0EAB0C25C4889      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:40.502Z      08D0EAB0C25C4889      SMTP      >      Established connection to
2014-04-25T13:19:41.158Z      08D0EAB0C25C4889      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.158Z      08D0EAB0C25C488A      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.189Z      08D0EAB0C25C488A      SMTP      >      Established connection to
2014-04-25T13:19:41.580Z      08D0EAB0C25C488A      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.580Z      08D0EAB0C25C488B      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:41.611Z      08D0EAB0C25C488B      SMTP      >      Established connection to
2014-04-25T13:19:41.986Z      08D0EAB0C25C488B      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:41.986Z      08D0EAB0C25C488C      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.017Z      08D0EAB0C25C488C      SMTP      >      Established connection to
2014-04-25T13:19:42.392Z      08D0EAB0C25C488C      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
2014-04-25T13:19:42.392Z      08D0EAB0C25C488D      SMTP      +      DnsConnectorDelivery c5436855-7e4c-4a0d-a8c9-c8dd0c7b52e5;QueueLength=1
2014-04-25T13:19:42.439Z      08D0EAB0C25C488D      SMTP      >      Established connection to
2014-04-25T13:19:43.111Z      08D0EAB0C25C488D      SMTP      -      Messages: 0 Bytes: 0 (Attempting next target)
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Darrell PorterEnterprise Business Process ArchitectCommented:
Have you tried using ExLogAnalyzer, which can be found by going to the blog entry describing it -

or you can access it's MSDN development page directly by going to

Are you still experiencing these high numbers of emails being sent to
If so, until the issue is resolved, I would add to the Exchange environment which will A) quickly reduce the number of hits Microsoft is seeing, and B) almost immediately tell you which machines these messages are coming from.

Needless to say, somewhere in your environment is a bit of malware crying havoc.
this may seem a little foolish, but did you try looking during non-office hours ?

running a simple netstat might reveal the culprit

alternatively, you can stop deliveries for a small period of time and manually look at the email. the emitter is in the headers


you can also analyse the receive connector's log rather than the send connector. the ip address of the remote machine is mentioned there.

then either setup verbose logging so you also have the sender and recipients email addresses, or simply look for machines that send huge volumes of email. anyway the recipient is quite meaningless as it is likely that you are spamming the world rather than just hotmail.
Simon Butler (Sembee)ConsultantCommented:
The first thing you should do is update the server

Exchange 2010 SP1 RU6 hasn't been supported for quite some time - Exchange 2010 SP2 isn't even a supported version. You need to go to Exchange 2010 SP3.

Once you have done so, change the Administrator password, as that is the usual target for attempts to use your machine. What do the queues look like?

Do you have just port 25 open to the server? Are the Receive Connectors on a default configuration?

gobears1294Author Commented:
We ended up rerouting mail to hotmail through a different send connector.  In addition, we'll be relaying all email through a third party smtp relay (currently looking at Sendgrid) so that we don't get blocked in the future.  Never figured out what happened, but it hasn't happened again so we'll see how it goes.  Told microsoft and they delisted our primary IP address.  I'll start routing mail through it again next week.
it is obvious that you have/had a piece of malware in your network.

unless you do find/found that malware, your actions will most likely prove inefficient because you'll get in trouble with the third party at some point, and if not you'll just contribute to the number of spam email sent to the wan.

be responsible and track the root of the problem if you have not yet done so.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now