Re: Exchange 2003 - Event ID 3030 Source MSExchangeTransport[Scanned]

  • From: "Zoran" <zmarjanovic@xxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Wed, 4 Feb 2004 02:10:54 -0700

Hi Simon,

check KB 256321, it says: X.1.8 Bad sender's system address (status code
of 5.1.8 was generated for
recipient rfc822;jack@xxxxxxxxxx).

It is very possible you have an intruder. Chech your net with antitrojan
software. Also check your DNSs and logs of SMTP.

Zoran

> =20
> Raj,
> 
> All ready checked for the virus and all machines are clear. Plus all
> machines are swept at night by a scheduled task and the results are then
> sent to myself.
> 
> Regards
> Simon Whale
> -----Original Message-----
> From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]=20
> Sent: 03 February 2004 16:52
> To: [ExchangeList]
> Subject: [exchangelist] Re: Exchange 2003 - Event ID 3030 Source
> MSExchangeTransport[Scanned]
> 
> http://www.MSExchange.org/
> 
> It sounds like you may have the MyDoom virus going around. My Doom tries
> to spoof sender IDs and recipient IDs. It may not be that the actual
> virus originated from your user, but might have spoofed elsewhere. In
> any case run a thorough check of your user PC, and the Exchange server.
> 
> 
> Regards,
> 
> Raj
> 
> -----Original Message-----
> From: simon whale [mailto:swhale@xxxxxxxxxxxxxx]
> Sent: Tuesday, February 03, 2004 11:41 AM
> To: [ExchangeList]
> Subject: [exchangelist] Re: Exchange 2003 - Event ID 3030 Source
> MSExchangeTransport[Scanned]
> 
> 
> http://www.MSExchange.org/
> 
> Zoran,
> 
> Thanks for your time. There is no logging switched on in the smtp
> connector.  I have just received another.
> 
> Event Type:   Error
> Event Source: MSExchangeTransport
> Event Category:       NDR=20
> Event ID:     3030
> Date:         03/02/2004
> Time:         16:35:25
> User:         N/A
> Computer:     JUPITER
> Description:
> A non-delivery report with a status code of 5.1.8 was generated for
> recipient rfc822;jack@xxxxxxxxxx (Message-ID
> <16a201c3ea73$b8b9d170$02010a0a@xxxxxxxxxxxx>). =20
> 
> But at the same time my anti virus also reported a virus from the same
> person:
> 
> A suspicious mail was processed.
> 
>       Event:          infection=20
>       Action:         Message quarantined=20
>       Message ID:     <200402031631.i13GVdv25012@xxxxxxxxxxxxxxxxx>=20
>       Message subject:        test=20
>       Sender:         "jack@xxxxxxxxxx" <jack@xxxxxxxxxx>
>       Recipient:  "fred@xxxxxxxxxxxxxx" <fred@xxxxxxxxxxxxxx>=20
> 
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 
>       Attachment information:
>               Event:  infection =20
>               Action: Unable to disinfect=20
>               Filename:       data.zip=20
>               Virus:  W32/MyDoom-A=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 
>       Attachment information:
>               Event:  infection =20
>               Action: Unable to disinfect=20
>               Filename:       data.zip=20
>               Virus:  W32/MyDoom-A=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> 
> Can I assume that these events logged for addresses that don't exist? O
> runalbe ot contact?
> 
> Regards
> Simon Whale
> -----Original Message-----
> From: Zoran [mailto:zmarjanovic@xxxxxxxx]=20
> Sent: 03 February 2004 16:52
> To: [ExchangeList]
> Subject: [exchangelist] Re: Exchange 2003 - Event ID 3030 Source
> MSExchangeTransport[Scanned]
> 
> http://www.MSExchange.org/
> 
> Hi Simon,
> 
> check diagnostics logging level for MSExchangeTransport.
> 
> Zoran
> 
> > All,
> >=20
> > I have just noticed the following in the event viewer, can anybody
> > shed any light on the matter?
> >=20
> > Event Type: Error
> > Event Source:       MSExchangeTransport
> > Event Category:     NDR=3D20
> > Event ID:   3030
> > Date:               03/02/2004
> > Time:               15:35:34
> > User:               N/A
> > Computer:   JUPITER
> > Description:
> > A non-delivery report with a status code of 5.1.8 was generated for
> > recipient rfc822;joe@xxxxxxxxxxxxxxxxxx (Message-ID=20
> > <168401c3ea6b$5ad73780$02010a0a@xxxxxxxxxxxx>). =3D20
> >=20
> > Have checked on google groups, eventid.net and microsoft to no
> success.
> >=20
> > Setup as follows
> >=20
> > Windows 2003 (patched upto date)
> > Exchange 2003 (patched upto date)
> > Sophos Anti Virus - Mail monitor (up to date)
> >=20
> > Many Thanks
> > Simon
> 
> ------------------------------------------------------
> List Archives: =
> http://www.webelists.com/cgi/lyris.pl?enter=3Dexchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
> Server Resource Site: http://www.isaserver.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: =
> http://www.webelists.com/cgi/lyris.pl?enter=3Dexchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
> Server Resource Site: http://www.isaserver.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> 
> 
> ------------------------------------------------------
> List Archives: =
> http://www.webelists.com/cgi/lyris.pl?enter=3Dexchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------


Other related posts: