This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 66%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I'm a new admin for our 365 exchange and I've noticed some unusual activity. When I run a message trace it shows emails coming from postmaster@ourdomain however we do not have that as an email address. I checked the return path and it has the same address, so it looks like it's coming from our domain but the message is undeliverable. When I run a report it shows the original_client_id as 255.255.255.255. Is that due to malware on our system? I've counted 4,600+ emails from postmaster@ourdomain we sent out to other email addresses during the last 90 days.
In addition, we have suspicious sign-in activity. Our Azure sign-in logs show one of our users signing in successfully from Nigeria. There are other users that are signing in successfully from other states. With the successful sign-ins that were not local, I forced a sign-out and changed their password. There are also a larger number of unsuccessful sign-in from different countries. Any ideas on the cause and what I can do to mitigate this? Thanks, Dave
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @dgrooman
Yes, generally the postmaster@yourdomain generate NDRs from your own server. It usually occurs when you are accepting messages for recipients that do not exist in your organization.
You could share the complete example here, and note to clear your personal information.
And MFA is a good choice for your login option.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @dgrooman
Is there any update about your question so far?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
1) The postmaster is an external address meant for sending out "system-generated messages and notifications sent to message senders that exist outside your Microsoft Exchange Online organization."
Configure the external postmaster address in Exchange Online
2) To mitigate further attacks I would recommend you set up MFA for your organization as a good start. You cannot stop unsuccessful sign-in notifications as bots/people may be trying to attack that e-mail all the time (brute force, etc).
Set up multifactor authentication for Microsoft 365
If this helps please mark as correct answer.