Hi all, Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue. Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause. The following is what I belive to be one of the emails. It shows the sender is blank... 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,0,10.61.168.26:25,10.61.168.13:50871,+,, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,1,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,2,10.61.168.26:25,10.61.168.13:50871,>,220 mail.DOMAIN.com, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,3,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,4,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13], 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,5,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,6,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,7,10.61.168.26:25,10.61.168.13:50871,>,250-DSN, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,8,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,9,10.61.168.26:25,10.61.168.13:50871,>,250-STARTTLS, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,10,10.61.168.26:25,10.61.168.13:50871,>,250-X-ANONYMOUSTLS, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,11,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,12,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS GSSAPI NTLM, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,13,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,14,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,15,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,16,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,17,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,18,10.61.168.26:25,10.61.168.13:50871,<,X-ANONYMOUSTLS, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,19,10.61.168.26:25,10.61.168.13:50871,>,220 2.0.0 SMTP server ready, 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,20,10.61.168.26:25,10.61.168.13:50871,*,,Sending certificate 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,21,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate subject 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,22,10.61.168.26:25,10.61.168.13:50871,*,CN=HUBTRANSPORTSERVER,Certificate issuer name 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,23,10.61.168.26:25,10.61.168.13:50871,*,54BEC86E600CBE864957FEE2DB44C020,Certificate serial number 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,24,10.61.168.26:25,10.61.168.13:50871,*,E8C6690B277DC4A3E16BF7CED42183E0DAE5A3B3,Certificate thumbprint 2011-05-14T23:52:54.505Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,25,10.61.168.26:25,10.61.168.13:50871,*,HUBTRANSPORTSERVER;HUBTRANSPORTSERVER.DOMAIN.Local,Certificate alternate names 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,26,10.61.168.26:25,10.61.168.13:50871,<,EHLO MAILBOXSERVER.DOMAIN.Local, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,27,10.61.168.26:25,10.61.168.13:50871,>,250-HUBTRANSPORTSERVER.DOMAIN.Local Hello [10.61.168.13], 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,28,10.61.168.26:25,10.61.168.13:50871,>,250-SIZE, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,29,10.61.168.26:25,10.61.168.13:50871,>,250-PIPELINING, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,30,10.61.168.26:25,10.61.168.13:50871,>,250-DSN, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,31,10.61.168.26:25,10.61.168.13:50871,>,250-ENHANCEDSTATUSCODES, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,32,10.61.168.26:25,10.61.168.13:50871,>,250-AUTH NTLM, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,33,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXPS EXCHANGEAUTH GSSAPI NTLM, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,34,10.61.168.26:25,10.61.168.13:50871,>,250-X-EXCHANGEAUTH SHA256, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,35,10.61.168.26:25,10.61.168.13:50871,>,250-8BITMIME, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,36,10.61.168.26:25,10.61.168.13:50871,>,250-BINARYMIME, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,37,10.61.168.26:25,10.61.168.13:50871,>,250-CHUNKING, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,38,10.61.168.26:25,10.61.168.13:50871,>,250-XEXCH50, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,39,10.61.168.26:25,10.61.168.13:50871,>,250 XRDST, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,40,10.61.168.26:25,10.61.168.13:50871,<,X-EXPS EXCHANGEAUTH, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,41,10.61.168.26:25,10.61.168.13:50871,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs,Set Session Permissions 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,42,10.61.168.26:25,10.61.168.13:50871,*,DOMAIN\MAILBOXSERVER$,authenticated 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,43,10.61.168.26:25,10.61.168.13:50871,>,235 <authentication response>, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,44,10.61.168.26:25,10.61.168.13:50871,<,MAIL FROM:<> SIZE=8031, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,45,10.61.168.26:25,10.61.168.13:50871,*,08CDD9CB292563F4;2011-05-14T23:52:54.505Z;1,receiving message 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,46,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.0 Sender OK, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,47,10.61.168.26:25,10.61.168.13:50871,<,RCPT TO:<hgecay@clinicaltrials.gov>, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,48,10.61.168.26:25,10.61.168.13:50871,>,250 2.1.5 Recipient OK, 2011-05-14T23:52:54.584Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,49,10.61.168.26:25,10.61.168.13:50871,<,BDAT 8031 LAST, 2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,50,10.61.168.26:25,10.61.168.13:50871,>,250 2.6.0 <b9f64658-210a-4c47-a0ae-c03407241052> Queued mail for delivery, 2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,51,10.61.168.26:25,10.61.168.13:50871,<,QUIT, 2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,52,10.61.168.26:25,10.61.168.13:50871,>,221 2.0.0 Service closing transmission channel, 2011-05-14T23:52:54.787Z,HUBTRANSPORTSERVER\Default HUBTRANSPORTSERVER,08CDD9CB292563F4,53,10.61.168.26:25,10.61.168.13:50871,-,,Local The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners"). Is there any other way of figuring out where these emails are coming from? Im not even sure if these could be NDR spam?

If the sender is blank it is probably NDR spam. Do you have recipient validation enabled? If not, then you should do, as it will stop NDR spam in its tracks. http://exchange.sembee.info/2007/hub/filter-unknown.asp Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

On Mon, 16 May 2011 14:34:02 +0000, Andrew J Palmer wrote: > > >Hi all, > >Currently have an issue with a customer who has a number of spam emails sat in their Outbound Queue. Can't see anything obvious so far and at a guess think it's possibly a users account thats the cause. The following is what I belive to be one of the emails. It shows the sender is blank... It's a NDR. Do you have recipient filtering enabled? Do you refuse to accept e-mail with SMTP addresses that don't exist in your AD forest? The fact that the local and remote IP addresses are both in the same private network is suspicious. Is it your intention to accept SMTP e-mail from 10.61.168.13? Are both of those machines Exchange HT servers? [ snip ] >The Default Receive Connector permission groups are set to allow everyone to connect which seems typical when comparing it to other clients (Apart from "Partners"). > >Is there any other way of figuring out where these emails are coming from? Im not even sure if these could be NDR spam? It would help to know which IP address belongs to what machine. If they're both HT servers then you need the log files from the one that's sending the messages. Don't forget the message tracking logs and the "SUBMIT" event. If the message originates from a MAPI/RPC client there won't be anything in the SMTP log fiel for the submission. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks Sambee. I'll take a look at this. Rich, 10.61.168.13 is an Exchange with the Mailbox, CAS and HT roles. 10.61.168.26 is an Exchange with just the HT role. Email transactions to the outside world will be done by 10.61.168.26. I'll take a look at the first suggestion and continue investigation should this issue persist.

Sembee's responce resolved this issue for me. Thanks.