Exchange 2010 Hub Transport

timgreen7077 used Ask the Experts™
IS there any reason my Hub transport server queues get full of emails that I'm not sending? Eventually the emails are dropped but I can have over 100 or these in a few days and if I remove them, with in a few days more will return. The Error message says "451 4.4.0 Primary target IP address responded with: 421 4.2.1 unable to connect. Attempted failover to alternate host, but did not succeed. Either there is no alternate host or delivery failed to alternate host." See attached pic.
I have used telnet to verify that I have no open relays and I also used mxtoolbox to also confirm I have no open relays. I believe this is just spam, but just trying to understand why does it seem like it's being sent from my server. This is one of the undelivered properties:

Identity: MAIL\28211\46895
Subject: Undeliverable: Tasty drink shreds extra fat
Internet Message ID: <>
From Address: <>
Status: Ready
Size (KB): 16
Message Source Name: DSN
Source IP:
SCL: -1
Date Received: 12/30/2015 1:21:50 PM
Expiration Time: 1/1/2016 1:21:50 PM
Last Error: 400 4.4.7 Message delayed
Queue ID: MAIL\28211
Recipients:;2;2;400 4.4.7 Message delayed;0;CN=Outbound Public Connector,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=alias,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomainname,DC=com

I believe this mail is being caught and rejected by my Hub Transport Anti-spam. I have enabled Exchange's HT anti-spam features. Any advice would be appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Naushad shaikhIT Consultant - Messaging Support

If you are not sending than you have to look for spam issue, your server is being used to send spam email to internet destination email server. There are possibility that some user account are hacked or some virus infected system in the network which is generating spam email by using local email client to send email.

SMTP error 400 4.4.7 can be mean destination email server have some problem & also mean that when recipient server is trying to reverse DNS look up for your domain  getting fail , IP of  email sending server is not matching with  MX record, hence remote recipient server is not accepting email.

In your case as you have internal spam attack, as effected user mailbox or system sending Spam email to so many fake none exist email address  hence emails are getting in retry queue for delivery.

Please try to locate internal effected user mailbox or system being used by spammer
This looks almost certainly to me to be backscatter. You can read about what this means here:

A brief overview of how this works is as follows:


A spambot connects to your exchange server over SMTP and sends an email to (a randomly guessed address), from (a spoofed address)


Your exchange server accepts the message


Exchange notices that doesn't exist in your organisation, generates an NDR and adds it to the Hub transport queue to be delivered to (what exchange thinks was the original sender).


As the original sending address was spoofed, this is invalid and the NDR fails delivery. This then sits in the queue until it times out.What you need to do to avoid this is configure recipient filtering to block messages sent to recipients which don't exist in the directory on your hub transport (or edge transport, if you use it) server. Once this has been enabled, instead of accepting the message in step 2, Exchange will reject the message, therefore preventing the NDRs from being generated.
timgreen7077Exchange Engineer
Distinguished Expert 2018


I actually have that option checked on my recipient filter options. maybe there was an issue. I will uncheck and recheck and see if that helps. Thanks for the response and I will update.
Mohammed TahirMicrosoft Exchange and O365 Administrator

Observed mail are stuck for valid domains as they have proper MX record. You need to export and analyze the message header to know from which address these messages were generating..

Use below command to export the message:
Export-Message -Identity  "Message Identity" |AssembleMessage -Path "c:\filename.eml"

timgreen7077Exchange Engineer
Distinguished Expert 2018


That corrected the issue. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial