MSExchange Transport Errors and Warnings

[laytoncy]

Greetings all, I'm seeing a good amount of MSExchange Transport Warnings and some Errors in the Application log. This is from a SBS 2003 Server with Exchange 2003.
Here are 2 examples of warnings, the recipient in this case is someone that my clients email:

This is an SMTP protocol warning log for virtual server ID 1, connection #36. The remote host "217.x.x.x", responded to the SMTP command "rcpt" with "450 4.7.1 <user@domain.com>: Recipient address rejected: Greylisted for 5 minutes ". The full command sent was "RCPT TO:<user@domain.com> ". This may cause the connection to fail.

This is an SMTP protocol warning log for virtual server ID 1, connection #17. The remote host "205.x.x.x", responded to the SMTP command "rcpt" with "451 Internal resource temporarily unavailable -

http://www.mimecast.com/knowledgebase/KBID10473.htm#451

". The full command sent was "RCPT TO:<user@domain.com> ". This may cause the connection to fail.

Here are 3 examples of the Errors:

This is an SMTP protocol log for virtual server ID 1, connection #19. The client at "59.95.152.151" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "helo static.jaipur.bb.59.95.152.151/25.bsnl.in". This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #7. The client at "190.237.5.224" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "ehlo JOSÉ-PC". This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #1. The client at "123.240.232.206" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address ". The full command sent was "helo ØpØp-PC.tbcnet.net.tw". This will probably cause the connection to fail.

The errors to me read that someone is sending whatever command to the Exchange server and it is giving them the appropriate response. The warnings though I'm not sure about.

Any help is greatly appreciated.

 

[ShackDaddy]

The first warning is a common one: since your mail server is not in regular communication with the target server, it issued a greylisting command which will cause your server to hold that message in queue and reattempt delivery at a later time. Since spamming servers won't usually reattempt delivery, it's a common practice and not unusual that you would see it here.

The second warning is basically the same as the first: the remote server doesn't always explicitly say that it's greylisting, sometimes it gives that "internal resource" message.

Sometimes Exchange 2003 systems never actually resend greylisted messages out again at all until the SMTP service is restarted or the server is rebooted. See this article for a fix:

http://support.microsoft.com/kb/950757

Dave Shackelford
ThirdTier.net

 

[laytoncy]

Thanks for the reply. So, it seems like as far as the warnings go this is business as usual and nothing really to be concerned about. I check the queue regulary, at least 3x a day, and have never seen a message waiting for this recipient so it must be being resent successfully.

Any ideas on the errors listed? Are these commands from "hackers" trying to auth to smtp or something? We have just recently been getting email spoofed from non existent users on the domain. The email will appear to come from someone within the organization that doesn't actually exist and the email will have a virus attached. Checking the headers in the email it does not originate from the Exchange server.

 

[ShackDaddy]

Yes, the errors are just from remote mailservers who are submitting connection data that is invalid. For example, instead of submitting a valid domain in the EHLO statement, they are just putting some garbage (or non-Western characters) in.

Dave Shackelford
ThirdTier.net

 

[laytoncy]

Thanks again for your help.