[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


windows server 2003 sbs event id 7010

Posted on 2014-07-15
Medium Priority
Last Modified: 2014-10-24
in event viewer I get id 7010, if I empty event viewer application data it fills up to the 55,000 limit with the same error message within a minute, slows down server, Server was attacked from China several months ago, stopped the attack but it left something behind
Question by:DeanTerchunian
  • 5
  • 3
LVL 65

Expert Comment

ID: 40198361
Can look at this MS KB error to add the "SuppressExternal" value to the registry.

Additional symptoms that may accompany Event IDs 7004 and 7010

If the XEXCH50 command is not working correctly, as indicated by the 7004 events and by the 7010 events, you may see the following symptoms:...

The short summary is that the XEXCH50 verb, which is part of an Exchange-to-Exchange extension to SMTP, is sometimes tripped up by an intermediate firewall attempting to perform deep-inspection filtering on an SMTP connection. It gets confused and aborts mail delivery even though the Exchange servers would have been happy to talk to each other.
But even without firewall issues, Exchange logs an error in the Event viewer when the verb is used even though the mail goes through just fine. This is cluttersome.
Because this SMTP command word doesn't seem to be of any use in an SBS environment (it's rare for there to be two Exchange servers in an this kind of enterprise), turning this keyword off avoids the whole issue.

Note You will see Event IDs 7004 and 7010 only if you turn up diagnostic logging on the MSExchangeTransport event source to medium or higher.

The short summary is that the XEXCH50 verb, which is part of an Exchange-to-Exchange extension to SMTP, is sometimes tripped up by an intermediate firewall attempting to perform deep-inspection filtering on an SMTP connection. It gets confused and aborts mail delivery even though the Exchange servers would have been happy to talk to each other.

Hence it seems like "DoSing" your open SMTP server via "brute forcing" virtually .. but this can get worse when deep-inspection firewalls are involved: those that attempt to parse the SMTP conversation can be tripped up by the nonstandard XEXCH50 keyword. E.g. the firewall may decide to "fail closed" on a protocol violation rather than let unknown and possibly dangerous traffic through.

Furthermore, this only applies to direct Exchange-to-Exchange communications: sites that use third-party mailfiltering systems (such as Vlad's excellent Exchange Defender mail/spam filter service) won't have this direct connection, and are unlikely to ever see this issue arise.

for that "something" worth putting it to VirusTotal, ViRSCAN or Jotti for malice scan, maybe good to trace Source IP but it can be spoofed though. The FW and SMTP gateway should filter that IP for that instance if it is from single one..

Some reference

Author Comment

ID: 40231978
I read the above. This is the exact wording from the event id 7010 I do not get event id 7004

This is a SMTP protocol log for virtual server ID 1, Connection #95042. The client at "" sent a 'rcpt' command and the SMTP server responded with "550.5.7.1 Unable to relay for sally 5965319@yahoo.com.tw" The full command sent was "rcpt TO: <sally5965319@yahoo.com.tw>". This will probably cause the connection to fail.
LVL 65

Expert Comment

ID: 40232023
Based on the IP address that is already in some Blacklist - spambot type

Likely it has poor reputation may have been caused by one of the following reasons:

Your email server contains a virus and has been sending out spam.
Your email server may be misconfigured.
Your PC may be infected with a virus or botnet software program.
Someone in your organization may have a PC infected with a virus or botnet program.
You may be utilizing a dynamic IP address which was previously utilized by a known spammer.
Your marketing department may be sending out bulk emails that do not comply with the CAN-SPAM Act.
You may have an insecure wireless network which is allowing unknown users to use your network to send spam.

The email is legit account but that doesnt mean it is used for legit purpose - minimally this is not via some open relay http://mxtoolbox.com/SuperTool.aspx?action=mx%3asally5965319%40yahoo.com.tw&run=toolpage#

and the "550.5.7.1 Unable to relay " is normally due to some software in that host trying to email relay - of course we would not know what service is running from that 'spambot'
-  a transport rule that prohibited service accounts from sending external email
- receive connector required TLS security, which was unchecked

e.g. http://social.technet.microsoft.com/Forums/en-US/48e11291-9484-4cb3-a131-1764f6ec6bdc/mail-relay-throwing-error-550571-unable-to-relay-for-domain
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Author Comment

ID: 40240128
how do you find and get rid of spambot?
LVL 65

Expert Comment

ID: 40240282
the email server should have some sort of anti-spam mechanism to deter spambot coming in to relay spam emails and email exchange relay (where possible) should not be open type whereby without any access control list and even allow ill reputed relays

for end user machine, it is more of scavenging which is the infected one but then the 'something' left behind may have already spread to many or targeted part of the network in your work enterprise. the machine host intrusion protection (HIPS) should be scanning it for any anomalous symptoms - see a discussion on (maybe) similar encounter


for more "holistic" strategy, I encourage you check out this CBL article which also stated tools http://cbl.abuseat.org/advanced.html

Most infections "drop" their malicious programs in Windows "system" directories. For example, the interesting directories on Windows/XP are C:\windows\system and C:\windows\system32.

It's often possible to see these programs by navigating to the system directories, switching to the "detailed view" and then sorting by date. There is a good chance that the malicious software on your machine was created within the past 30 days. If you find programs in these directories that are that young, and aren't explainable by a new software install or patch:

Google for the file name. You may find a web page from a reputable A/V vendor telling you what it is, whether it really is an infection or a legitimate program, and how to remove it if it doesn't belong.
Run a series of A/V tools to try to remove them.
If none of the above fixes the problem, you may have to reinstall the machine.
With a sniffer, you can try looking for outbound connections to unusually high numbered ports (eg: >10,000). In small environments, you could get everyone to shut down their web browsers, and watch for port 80, 8080, and 443 (all web based) connections when they shouldn't be made. If you find web connections when the source of the connection doesn't have a browser or mail reader running, there's a good chance you've found the infected machine - the machines to first run a toolkit tool like tcpview on.

In a relatively small environment, you may get a "feeling" for the IP addresses the sniffer is showing you as the destination. Eg: if you're in North America, seeing connections to IP addreses beginning with 200, 201, 202, 203, 59, 88, 89 etc, will mean that the computer is making connections to Asia or Europe. Especially if the local computer is idle, why is it making connections there? Again, a job for tcpview.
This means that a BOT sending lots of spam will do lots of MX queries. If you find a end-user computer or some other computer that shouldn't be doing email at all doing MX queries (especially lots of them), you've found the infected computer[s].

If you have your own DNS server (eg: a DNS cache), you should be able to get the DNS server to give you basic statistics of who is issuing MX queries to them. If you don't have your own DNS server, you could look for unusual sources of DNS MX queries via a sniffer. It may be easier to sniff all DNS traffic going to your DNS server than your firewall.
LVL 65

Expert Comment

ID: 40240286
In summary of prev post key is also to stop the spam if ongoing or going to come again.
a- set your firewall to not allow outbound SMTP/POP except from the email server.
b- set your mail server to not allow outbound relay.

Then, you need to find the problem machine(s).
1- Look at the firewall logs to see which machine(s) are actually trying to do outbound mail and getting blocked. Those machines are infected.
2- Make sure each machine has current A/V, and do a thorough scan on each machine.
3- You may want to implement the Windows Firewall on each machine.
4- If still not found you will need to use a sniffer.

Author Comment

ID: 40352463
Which Sniffers do you recommend?
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40353982
Actually, if you can telnet to your mail server on port 25 and succeed in sending an e-mail to a domain that does not belong to you. E.g.

telnet <your.mail.server.ip> 25
helo <mail.yourdomain.tld>
mail from: nobody@example.com
rcpt to: somebody@notyourdomain.com
250 OK  <<===== THIS should not happen on your server!!

Check if recipient filtering is turned on or off. If it's turned off and Exchange is configured to send NDR's, the server will probably accept mail sent to non existing users, causing the queue to fill up with NDR's. Turning recipient filtering on most likely prevents this. Mails sent to non existing users simply won't be accepted by Exchange.

tools for considerations:

Wireshark - http://www.experts-exchange.com/Networking/Protocols/Email/Q_23356456.html
(the display filter maybe something like: tcp.port eq 25 && src.ip != <your.mail.server.ip>)

Networkminer  - http://www.maketecheasier.com/capture-and-analyze-network-traffic/
(On the Hosts tab, you will see a list of hosts connected to the network. Can see detailed information like its MAC address, hostname, Operating System, TTL, Open ports, packets sent, received etc)
(tool - http://www.netresec.com/?page=NetworkMiner)

 Microsoft Network Monitor - http://www.exchangeinbox.com/article.aspx?i=128
(see example, conversation between the local server EXCHSRV and another machine MARS, with ProtocolName == "SMTP")
(tool - http://www.microsoft.com/en-us/download/details.aspx?id=4865)

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question