Windows Server 2003 Small Business Server SP2
Exchange Version 6.5 (Build 7638.2: Service Pack 2)
This network has been neglected and has been having email problems for years and was on many blacklists. I was called in after the server eventually crashed... I got the server back up and running, but email problems persist.
Outgoing mail delivery is sporadic. Sometimes the mail goes through, sometimes a delayed delivery report is generated after a day or more, and sometimes it seems to go through, but the recipient never receives it.
Not sure if spammers are successfully using the server as a relay (see event entries below after turning on maximum SMTP logging)...
User PCs infected with viruses and server was blacklisted on many sites (I used mxtoolbox.com)
I have cleaned all the PCs and changed all passwords (including administrator)
I have requested removal from all of the blacklists - most have removed the listing, some take more time.
I have setup rDNS pointer records with the ISP (Comcast) - that was one reason for some of the blacklistings.
I have tested that it's not an open relay using telnet as described here:
www.amset.info/exchange/smtp-openrelay.asp
I followed the advise of a Spamhaus & Microsoft article to enable maximum SMTP logging.
http://www.spamhaus.org/faq/answers.lasso?section=isp%20spam%20issues#320
which directed me to Microsoft KB article 895853,
specifically, the part 2/3 down titled:
"If mail relay occurs from an account on an Exchange computer that is not configured as an open relay" .
The Application Event Log is filling with this type of activity (Event ID 7002, 7002 & 3018 errors):
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7004
Date: 1/18/2011
Time: 7:33:29 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #621. The remote host "212.52.84.180", responded to the SMTP command "rcpt" with "550 #5.1.0 Address rejected
[email protected] ". The full command sent was "RCPT TO: ". This will probably cause the connection to fail.
and this:
Event Type:
Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 1/18/2011
Time: 7:33:29 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol
warning log for virtual server ID 1, connection #620. The remote host "212.52.84.170", responded to the SMTP command "rcpt" with "452 Too many recipients received this hour ". The full command sent was "RCPT TO: ". This may cause the connection to fail.
or a variant of:
Event Type:
Warning
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7002
Date: 1/18/2011
Time: 8:39:21 AM
User: N/A
Computer: SERVER
Description:
This is an SMTP protocol
warning log for virtual server ID 1, connection #661. The remote host "82.57.200.133", responded to the SMTP command "rcpt" with "421 Service not available - too busy ". The full command sent was "RCPT TO: ". This may cause the connection to fail.
also
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 1/18/2011
Time: 9:49:37 AM
User: N/A
Computer: SERVER
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;
[email protected] (Message-ID ).
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
Data:
0000: ef 02 04 c0 ï..À
Any guidance and/or suggestions and/or tests to perform would be greatly appreciated.
