One of our older Servers runs MS Exchange Server 5.5, which is ancient, but very reliable.  A while back users started to complain that their e-mails were returned as undeliverable. When checking the logs I found that most messages were returned with a “Host unreachable” message. The Internet Mail Service outbound queue filled up and none of the messages got delivered. A simple telnet test showed that the hosts were reachable but the old Exchange 5.5 Server for some unknown reason refused to deliver anything. Googling “Exchange Host Unreachable” revealed a  lot of such cases but none of the solutions suggested in these posts helped.  Finally I analyzed the network traffic and found that port 25 was constantly being used, BUT NOT by the Exchange Server. It turned out that a user’s PC had been infected with a mass-mailing worm which used the same gateway IP address as the Exchange Server. As soon as the offending PC was removed from the network, the Exchange Server delivered Internet messages again. So the root cause in this case was interference from a infected user PC.

In the process of analyzing the network traffic on the ancient server, I discovered that Exchange Server 5.5 was vulnerable to reverse NDR attacks. Microsoft had announced the availability of a patch that lets you control the generation and delivery of NDR’s, but then apparently decided to withdraw the patch in order to get users to upgrade their software; the patch is no longer available from Microsoft. It can be downloaded here. Installing the patch reduced e-mail traffic on this server by a factor of 10 (!), implying that the bulk of e-mails that were send out before the patch was installed consisted of NDRs; responses to spam that were undeliverable.