Monday, July 17, 2017

Exchange Managed Availability Spamming the Internet

I ran into an issue at a customer site where Exchange Managed Availability was spamming the Internet with large amounts of outbound to the Internet.  These "Undeliverable: Inbound proxy probe" NDR messages were routing out to the Internet via the Send Connector to - an email address which was intended for internal use within Exchange Environments monitoring purposes.

In the logs we can see the health probe emails are being routed to the Health Mailboxes @domain.local.

These emails are not being delivered and bouncing back to the sender “” which of course “” is not an Accepted Domain in your Exchange environment so it is routed out to the internet for delivery.

The Health Mailboxes (part of Microsoft Exchange Managed Availability) all reside under the Monitoring Mailboxes location.

These mailboxes are automatically created by the "Microsoft Exchange Health Manager" service, if any of these mailboxes get deleted, the service will recreate them upon restart.

All these health mailboxes have a have the external SMTP address configured and a domain.local SIP address.

SIP, not SMTP.  Hence delivery fails.

Managed Availability automatically routes to the FQDN of whatever the forest root domain is for the Health Mailboxes and as a result, this SMTP address must exist on the Health Mailboxes.

I created a PowerShell script to return all health mailboxes which do not have a SMTP address matching alias@domain.local and then add the missing email.

Get-Mailbox -Monitoring | %{ if(!($_.EmailAddresses -contains "smtp:$($_.Alias)@domain.local")) { Write-Host "Adding email address  for $($_.Alias)"; Set-Mailbox $_.Alias -EmailAddresses @{add="$($_.Alias)@domain.local"} } }

We can validate the @domain.local is now on all Health Mailboxes.

The reason why these domain.local addresses were not on the Health Mailboxes was someone removed @domain.local from the default Email Address Policy in the customers environment.

I hope this post was helpful. 

No comments:

Post a Comment