Monday, 13 April 2015

NDR Storms in Exchange 2013

I came across a NDR storm in Exchange 2013 the other day (yes - Exchange 2013 is not immune from them!)

I noticed 1000's of DSN Failures in the message tracking logs. Exchange was sending NDR's due to a recipient lookup failure, althoguh the sender address was also no longer exisited and hence an NDR storm was created.

In order to remedy the situation I attempted to re-create the sending account so the NDR would be delivered and the loop would end - although when attemping to create the alias address I recieved the following message:

The proxy address "smtp:nonexistentuser@domain.com" is already being used by the proxy addresses or LegacyExchangeDN of "nonexistentuser". Please choose another proxy address.

To verify that it doesn't already exist we can run the following to output a list of all addresses assosiated with users:

Get-Mailbox | Select Name -ExpandProperty EmailAddresses

Although strangely it wasn't listed, I did notice it was in a similar format to that of arbitration inboxes - such as the ones used for health reporting although that didn't shed much light still!

In the end I decided to turn of NDR's temporarily to halt the infinate loop:

Unknown to me at the time loop detection in Exchange 2013 is NOT enabled by default - so after enabling it:

Set-TransportConfig -AgentGeneratedMessageLoopDetectionInSmtpEnabled $true
Set-TransportConfig -AgentGeneratedMessageLoopDetectionInSubmissionEnabled $true

And then finally restart the MS Exchange Transport service for changes to be picked up immideately.

Although to no avail! So finally I stumbled accorss a transport rule that helps mitigate NDR storms!:

New-TransportRule "Prevent NDRs Storm - MichaelG" -Comments "Prevent NDRs Storm" -From "user@domain.com" -SentToScope "NotInOrganization" -SubjectContainsWords "FW: There was an error sending your mail", "FW: Mail delivery failed", "FW: failure notice", "Undeliverable:" -RedirectMessageTo "quarantine@contoso.com" -Enabled $True

0 comments:

Post a comment