|
Home > Archive > IIS and SMTP > November 2004 > System Event Log filling with Warnings
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
System Event Log filling with Warnings
|
|
| m.marien 2004-10-19, 5:51 pm |
| I get the following message in my System Event Log.
"Message delivery to the remote domain 'citibank.com' failed for the
following reason: The remote server did not respond to a connection
attempt."
There is nothing in the log files for the time the event happened or for the
domain, nor is the domain mentioned in the SMTP logs at all. The message is
repeated many times, but the domain changes.
This on a Win2000 SMTP server. The server is setup to accept mail for
several remote domains which are routed to a smart host for those domains.
Otherwise the relay list on the Access tab is empty and the "Allow all
computer which successfully authenticate..." is unchecked. There is no
outbound mail from this server except for NDRs as far as I know.
The domains have a very light mail demand, so there is not a lot of mail
routed through here except for SPAM of course. So what's happening here ?
Why is this SMTP server trying to contact these domains, or is the message
misleading and it's the other way around, they are trying to contact this
SMTP server ?
| |
| Jeff Cochran 2004-10-19, 5:51 pm |
| On Tue, 19 Oct 2004 08:10:42 -0600, "m.marien" <mm AT RiverCityCanada
DOT com> wrote:
>I get the following message in my System Event Log.
>
>"Message delivery to the remote domain 'citibank.com' failed for the
>following reason: The remote server did not respond to a connection
>attempt."
>
>There is nothing in the log files for the time the event happened or for the
>domain, nor is the domain mentioned in the SMTP logs at all. The message is
>repeated many times, but the domain changes.
>
>This on a Win2000 SMTP server. The server is setup to accept mail for
>several remote domains which are routed to a smart host for those domains.
>Otherwise the relay list on the Access tab is empty and the "Allow all
>computer which successfully authenticate..." is unchecked. There is no
>outbound mail from this server except for NDRs as far as I know.
>
>The domains have a very light mail demand, so there is not a lot of mail
>routed through here except for SPAM of course. So what's happening here ?
>Why is this SMTP server trying to contact these domains, or is the message
>misleading and it's the other way around, they are trying to contact this
>SMTP server ?
Check your SMTP logs to see what really is happening. My guess is
you're not sending a bunch of mail to CitiBank, and that you're
relaying SPAM, but you can tell better by looking at your logs and the
Badmail folder (or Queue).
Jeff
| |
| m.marien 2004-10-19, 5:51 pm |
|
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:417a2b89.510790738@msnews.microsoft.com...
> On Tue, 19 Oct 2004 08:10:42 -0600, "m.marien" <mm AT RiverCityCanada
> DOT com> wrote:
>
>
> Check your SMTP logs to see what really is happening. My guess is
> you're not sending a bunch of mail to CitiBank, and that you're
> relaying SPAM, but you can tell better by looking at your logs and the
> Badmail folder (or Queue).
>
Thanks for the reply Jeff. As mentioned, there is nothing in the logs to
match this warning message. The last warning messages in the System Events
Log for the domain: figoru.yourfort.net at 12:11.
Message delivery to the remote domain 'figoru.yourfort.net' failed for the
following reason: The remote server did not respond to a connection attempt.
From the log file (UTM time is + 6 hours):
2004-10-19 17:40:24 200.232.214.116 200-232-214-116.dsl.telesp.net.br QUIT -
200-232-214-116.dsl.telesp.net.br 240 77 4 0 SMTP
2004-10-19 18:18:34 222.183.141.38 www.xyz34.uk.co.sg EHLO -
+www.xyz34.uk.co.sg 250 209 23 0 SMTP
When I search the entire log file for today, there is no mention of
figoru.yourfort.net.
There are two NDR reports in c:\Inetpub\mailroot\queue. One for yahoo.com
and one for hotmail.com. There also is one NDR in Badmail that failed
yesterday for allhell.com.
If there are a number of recipients in the TO line of the message, would the
SMTP server be trying to deliver to them in addition to the remote domain?
| |
| m.marien 2004-10-20, 2:47 am |
|
"m.marien" <mm AT RiverCityCanada DOT com> wrote in message
news:10na8358dmcce9e@corp.supernews.com...
>I get the following message in my System Event Log.
>
> "Message delivery to the remote domain 'citibank.com' failed for the
> following reason: The remote server did not respond to a connection
> attempt."
>
> There is nothing in the log files for the time the event happened or for
> the domain, nor is the domain mentioned in the SMTP logs at all. The
> message is repeated many times, but the domain changes.
>
> This on a Win2000 SMTP server. The server is setup to accept mail for
> several remote domains which are routed to a smart host for those domains.
> Otherwise the relay list on the Access tab is empty and the "Allow all
> computer which successfully authenticate..." is unchecked. There is no
> outbound mail from this server except for NDRs as far as I know.
>
> The domains have a very light mail demand, so there is not a lot of mail
> routed through here except for SPAM of course. So what's happening here ?
> Why is this SMTP server trying to contact these domains, or is the message
> misleading and it's the other way around, they are trying to contact this
> SMTP server ?
>
Here is an interesting follow up on this problem and possibly an answer. I
checked one of my other IIS5.0 SMTP servers. I was testing to see if it
would send a message to an IP address a while back. It has a message
addressed to mm@[192.168.0.17] stuck in the queue with a date of
sept.27.2004. There is a log:
2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain EHLO -
+mycomputer.myDomain 250 214 30 172 SMTP -
2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain MAIL -
+FROM:<murray@myDomain> 250 52 39 0 SMTP -
2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain RCPT -
+TO:<mm@[192.168.0.17]> 250 30 27 0 SMTP -
2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain DATA -
+<6.1.1.1.0.20040927091233.01a069b0@darkstar> 250 128 1009 219 SMTP -
2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain QUIT -
mycomputer.myDomain 240 84 4 0 SMTP -
(I changed the domain name in the log entries for obvious reasons.) There is
only one log, as I checked the entire log directory for log entries for
[192.168.0.17]. However, the System Event log is filled with these messages
regularly every four hours since Sept.27.2004
10/19/2004 7:51:37 PM smtpsvc Warning None 4000 N/A DARKSTAR Message
delivery to the remote domain '[192.168.0.17]' failed for the following
reason: The remote server did not respond to a connection attempt.
The question would be then, how long will the SMTP server keep trying ???
The expiry time out is set at the default 2 days. The SMTP server has been
trying since September 27, 2004. It should quit trying already eh !
So the original problem appears to be the same as this. I suspect that the
messages generating the system events are NDRs. I cleaned out about 3000
messages (all NDR) from the Badmail folder and emptied the queue a few days
ago. There were just the three messages left as I reported in another
message in this thread.
The NDR are generated from the remote domains. The remote SMTP servers
refuse the messages because the user doesn't exist and the IIS SMTP server
routing for the remote servers is trying to send a NDR back to the original
sender. The original sender of course doesn't exist because the message is
just SPAM.
So there are two problems here. One, as noted above, the SMTP server doesn't
seem to give up on NDR's after two days. Second, the IIS SMTP doesn't handle
SPAM for remote domains very well. When the remote domain refuses the
message, the SMTP server generates a NDR and goes on forever trying to
deliver it. Not only that, I think the SMTP server is still trying to
deliver the messages that I deleted from the queue. How does that work ?
So is there a way for the IIS SMTP server to handle the rejected messages
from remote domains better ?
| |
| happypagan 2004-11-18, 5:51 pm |
| I am having the same problem. See article 820284 for what I think is a
further description of the problem. Still no success at resolution though.
"m.marien" wrote:
>
> "m.marien" <mm AT RiverCityCanada DOT com> wrote in message
> news:10na8358dmcce9e@corp.supernews.com...
>
> Here is an interesting follow up on this problem and possibly an answer. I
> checked one of my other IIS5.0 SMTP servers. I was testing to see if it
> would send a message to an IP address a while back. It has a message
> addressed to mm@[192.168.0.17] stuck in the queue with a date of
> sept.27.2004. There is a log:
>
> 2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain EHLO -
> +mycomputer.myDomain 250 214 30 172 SMTP -
> 2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain MAIL -
> +FROM:<murray@myDomain> 250 52 39 0 SMTP -
> 2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain RCPT -
> +TO:<mm@[192.168.0.17]> 250 30 27 0 SMTP -
> 2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain DATA -
> +<6.1.1.1.0.20040927091233.01a069b0@darkstar> 250 128 1009 219 SMTP -
> 2004-09-27 15:12:48 192.168.0.17 mycomputer.myDomain QUIT -
> mycomputer.myDomain 240 84 4 0 SMTP -
>
> (I changed the domain name in the log entries for obvious reasons.) There is
> only one log, as I checked the entire log directory for log entries for
> [192.168.0.17]. However, the System Event log is filled with these messages
> regularly every four hours since Sept.27.2004
>
> 10/19/2004 7:51:37 PM smtpsvc Warning None 4000 N/A DARKSTAR Message
> delivery to the remote domain '[192.168.0.17]' failed for the following
> reason: The remote server did not respond to a connection attempt.
>
> The question would be then, how long will the SMTP server keep trying ???
> The expiry time out is set at the default 2 days. The SMTP server has been
> trying since September 27, 2004. It should quit trying already eh !
>
> So the original problem appears to be the same as this. I suspect that the
> messages generating the system events are NDRs. I cleaned out about 3000
> messages (all NDR) from the Badmail folder and emptied the queue a few days
> ago. There were just the three messages left as I reported in another
> message in this thread.
>
> The NDR are generated from the remote domains. The remote SMTP servers
> refuse the messages because the user doesn't exist and the IIS SMTP server
> routing for the remote servers is trying to send a NDR back to the original
> sender. The original sender of course doesn't exist because the message is
> just SPAM.
>
> So there are two problems here. One, as noted above, the SMTP server doesn't
> seem to give up on NDR's after two days. Second, the IIS SMTP doesn't handle
> SPAM for remote domains very well. When the remote domain refuses the
> message, the SMTP server generates a NDR and goes on forever trying to
> deliver it. Not only that, I think the SMTP server is still trying to
> deliver the messages that I deleted from the queue. How does that work ?
>
> So is there a way for the IIS SMTP server to handle the rejected messages
> from remote domains better ?
>
>
>
>
>
>
>
| |
| m.marien 2004-11-18, 5:51 pm |
|
"happypagan" <happypagan@discussions.microsoft.com> wrote in message
news:B5F7F2C9-960C-4811-8A0F-775FF29F2920@microsoft.com...
>I am having the same problem. See article 820284 for what I think is a
> further description of the problem. Still no success at resolution
> though.
>
My system is Win2000. I had just one error like that out of the hundreds. I
think it was just a problem when the SMTP relays for a remote server. The
SMTP server tries to send a NDR report for any SPAM that is bounced at the
remote server.
I solved some of the problem by silently discarding the undeliverable
messages at the remote server. My logs have cleaned up - just two errors in
the last week.
|
|
|
|
|