Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2013 Source: smtpsvc

Source
Level
Description
SMTP could not connect to any DNS server. Either none are configured, or all are down.
Comments
 
We encountered this error when our exchange machine would not send any mail outside our company. Our queue was growing out of control. We found out that the mail exchange record was pointing to a machine that was no longer on the network. It was another domain controller that had been taken out of commission for hardware failure. This however, was caused by a manual DNS entry on our internal DNS server which overrode the dynamic process under the Virtual SMTP Server properties, Delivery Tab. Once the entry was deleted or modified to point to the correct machine (exchange machine), a simple restart of the server wrapped it up. The entire queue was sent.
1. I think I have at least found the reasons for these errors (SMTP 2012 & 2013) and here is how I fixed them completely. The errors seem to be caused by excessive UDP traffic to the DNS server (internal in most cases) due to a large number of NDR messages waiting to be sent from the exchange queue.
2. It appears the errors are coming from getting DNS info for NDR records (non delivery reports). Each time a spam is sent to your server to an unknown address the server swallows the message and then attempts to send the original sender back a message saying no such person exists.
3. Look under “C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue” and you will probably see thousands of messages waiting to be sent out of the queue. Unless you have a very busy server or a low bandwidth internet connection, all messages that are in the queue are trying to be delivered to a server that does not exist (fake FROM addresses from spammers). You can open these with Outlook express and see they are just NDR reports being sent back to e-mail spammers informing them that the user does not exist on the server. The reason these are in the queue is because the server cannot deliver the messages because there are no servers at these fake spammer FROM addresses.
4. So I think the exchange server is creating too much UDP traffic to the DNS to get these NDR reports delivered (these errors in most cases are thereby harmless). The NDR reports cannot be delivered because spammers use fake FROM addresses so your server attempts to send these for up to 48 hours and then gives up and erases them. So much spam continues day after day to be sent to unknown users that this queue just keeps staying at a very large size. Below is how you get Exchange to not accept messages for users that do not exist on your domains. This will reduce traffic on your server and eliminate your SMTP errors on your server.
5. Exchange by default produces a NDR report for every e-mail sent to an incorrect address. For example is if a person sends an e-mail to nobody@tymer.com then the server actually takes the message sees that it cannot be delivered then sends an NDR (non delivery report) to the senders FROM address telling them that the e-mail address does not exist. Side affect of my fix below is that if a spammer is actually using a legitimate server he could check all known common names on your server and figure out some addresses that actually exist on your server. This is the fix I used to resolve the problem:

a. Load exchange system manager and then click the + on Global Settings.
b. Right click on Delivery options and choose Properties.
c. Click on the tab for "Recipient Filtering".
d. I checked the box for "filter recipients that are not in the directory". Once this box is checked the server gives you a message that you still have to make another setting to complete the process as described in next step.
e. As a final setting you have to go to the SMTP Virtual Server (also in the exchange system manager under the server) right click on the SMTP virtual server and choose Properties. Now go to Advanced for the IP address and click EDIT for the IP address (usually unassigned) and you will see a check box that says "Apply Recipient Filter". Check that box.
f. Now this will stop the exchange server from taking a message to a user that does not exist on your domains (active directory in this case) and sending NDR reports back to the spammers reducing traffic on the server.
You can also delete all the messages currently in your Exchange queue by stopping the SMTP server, deleting all the files under “C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue” and restart the SMTP service. Remember these messages are not delivered because the addresses they are being sent to do not exist (unless you have an extremely busy server and very low bandwidth in which case you better open some of them and verify they are all junk). This fix resolved the problem for me.
Connection to a DNS server has failed. I solved this by setting a valid DNS server in the smtp service.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...