Hi, Recently I've been getting a recurring error in the Event logs, several times per hour: This is an SMTP protocol log for virtual server ID 1, connection #20. The client a "EXCHANGE SERVER IP OMITTED" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for <ADDRESS OMITTED> ". The full command sent was "rcpt TO: <ADDRESS OMITTED>". This will probably cause the connection to fail. The address in question isn't that of a domain user or even an authenticated user. It is in fact the Gmail address of one of the company MD's buddies. It looks like the person in question is trying to relay though our domain Exchange server, but I can't find anything in our system that even refers to it but these event logs. How do I stop/block/kill this pain in the backside? I'd appreciate any advice. Thank you all in advance.

Whats your Diagnostics Logging set to for the MSExchangeTransport service? I'd crank up some of the categories in there (specifically SMTP Protocol and potentially Authentication) to see what might be happening at these times. FIRST THINGS FIRST, however: Chat with the company MD about the timing of these relay events. What sort of transaction is being attempted at these times? My guess is it's some sort of automated reply/OOF/availability action that's happening, but would be good to know more about what's actually triggering it, if for no other reason than so we can try and replicate it. Also, I'm assuming you don't have any SMTP relay restrictions in place, either via IP address, subnet or authentication. If you're comfortable with it, you can play with the authentication settings for the SMTP virtual server. MAybe Anon access isn't enabled? let us know what you find.... jm

Hey - thanks for getting back to me. In answer to your questions: It was already suggested by third-party support that I beef up the logging, which I did before I left the office. See what that tells me in the morning. Also, I spoke to the MD about it. The friend in question is overseas on holiday so unlikely emailing with such frequency. I'm thinking either something's stuck in a loop somewhere as you say or there's something nasty on my server. The former is more likely, but I'm running virus and malware checks on the server all the same. I've already eliminated the most likely possible source, that being the MD's VPN-connected home machine - the MD's buddy crashes there sometimes. I swept that today and it came up clean. There are SMTP relay restrictions in place though. Anonymous, clear text authenticated and Windows authenticated all have a free pass on the server and I need to consult with colleagues before I alter that. That said, relay IS restricted by IP with only a handful of IPs and WAN subnets allowed to do so. I'd need to consult before changing that also. But like I said, it's likely I'll know more in the morning so I'll update then. In the meantime I mean to get some dinner and enjoy my evening ;)

Hi again - apologies for the late update - forgot at my last update that I was on secondment the next day :$ So, the logs aren't telling me anything more than they did before I'm afraid. The only mention of the Gmail address is still within the error messages as detailed in my first post here. Virus and malware checks on the server came up clean, so some kind of automated reply loop is most likely the cause but I still can't find a trace of it outside the event log. Essentially, I'm still without-a-clue as to how I'm going to knock this on the head. I'm open to suggestions :)

On Thu, 16 Dec 2010 09:17:18 +0000, GeekSuperior wrote: > > >Hi again - apologies for the late update - forgot at my last update that I was on secondment the next day :$ > >So, the logs aren't telling me anything more than they did before I'm afraid. The only mention of the Gmail address is still within the error messages as detailed in my first post here. Virus and malware checks on the server came up clean, so some kind of automated reply loop is most likely the cause but I still can't find a trace of it outside the event log. There's nothing in the SMTP protocol logs? The text of the event said that something sent a RCPT TO command. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP