Exchange 2010 Hub Transport

IS there any reason my Hub transport server queues get full of emails that I'm not sending? Eventually the emails are dropped but I can have over 100 or these in a few days and if I remove them, with in a few days more will return. The Error message says "451 4.4.0 Primary target IP address responded with: 421 4.2.1 unable to connect. Attempted failover to alternate host, but did not succeed. Either there is no alternate host or delivery failed to alternate host." See attached pic.
I have used telnet to verify that I have no open relays and I also used mxtoolbox to also confirm I have no open relays. I believe this is just spam, but just trying to understand why does it seem like it's being sent from my server. This is one of the undelivered properties:

Identity: MAIL\28211\46895
Subject: Undeliverable: Tasty drink shreds extra fat
Internet Message ID: <0d77219b-56f6-4aeb-b182-cb6272d259cd@mydomainname.com>
From Address: <>
Status: Ready
Size (KB): 16
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 12/30/2015 1:21:50 PM
Expiration Time: 1/1/2016 1:21:50 PM
Last Error: 400 4.4.7 Message delayed
Queue ID: MAIL\28211
Recipients:  info@newsusapatriot3s.com;2;2;400 4.4.7 Message delayed;0;CN=Outbound Public Connector,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=alias,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomainname,DC=com

I believe this mail is being caught and rejected by my Hub Transport Anti-spam. I have enabled Exchange's HT anti-spam features. Any advice would be appreciated.
Capture.PNG
LVL 30
timgreen7077Exchange EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Naushad shaikhIT Consultant - Messaging SupportCommented:
If you are not sending than you have to look for spam issue, your server is being used to send spam email to internet destination email server. There are possibility that some user account are hacked or some virus infected system in the network which is generating spam email by using local email client to send email.

SMTP error 400 4.4.7 can be mean destination email server have some problem & also mean that when recipient server is trying to reverse DNS look up for your domain  getting fail , IP of  email sending server is not matching with  MX record, hence remote recipient server is not accepting email.

In your case as you have internal spam attack, as effected user mailbox or system sending Spam email to so many fake none exist email address  hence emails are getting in retry queue for delivery.

Please try to locate internal effected user mailbox or system being used by spammer
ChrisCommented:
This looks almost certainly to me to be backscatter. You can read about what this means here: https://en.wikipedia.org/wiki/Backscatter_%28email%29

A brief overview of how this works is as follows:

1.

A spambot connects to your exchange server over SMTP and sends an email to usera@yourdomain.com (a randomly guessed address), from usera@invaliddomain.com (a spoofed address)

2.

Your exchange server accepts the message

3.

Exchange notices that usera@yourdomain.com doesn't exist in your organisation, generates an NDR and adds it to the Hub transport queue to be delivered to usera@invaliddomain.com (what exchange thinks was the original sender).

4.

As the original sending address was spoofed, this is invalid and the NDR fails delivery. This then sits in the queue until it times out.What you need to do to avoid this is configure recipient filtering to block messages sent to recipients which don't exist in the directory on your hub transport (or edge transport, if you use it) server. Once this has been enabled, instead of accepting the message in step 2, Exchange will reject the message, therefore preventing the NDRs from being generated.

http://www.jjclements.co.uk/2010/09/23/exchange-2010-recipient-filtering-on-a-hub-transport-server/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerAuthor Commented:
Chris
I actually have that option checked on my recipient filter options. maybe there was an issue. I will uncheck and recheck and see if that helps. Thanks for the response and I will update.
Mohammed TahirMicrosoft Exchange and O365 AdministratorCommented:
Observed mail are stuck for valid domains as they have proper MX record. You need to export and analyze the message header to know from which address these messages were generating..

Use below command to export the message:
Export-Message -Identity  "Message Identity" |AssembleMessage -Path "c:\filename.eml"


Tahir
timgreen7077Exchange EngineerAuthor Commented:
That corrected the issue. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.