Exchange Message Trace 255.255.255.255 original_client_ip

dgrooman 1 Reputation point
2022-07-15T16:22:04.947+00:00

I'm a new admin for our 365 exchange and I've noticed some unusual activity. When I run a message trace it shows emails coming from postmaster@ourdomain however we do not have that as an email address. I checked the return path and it has the same address, so it looks like it's coming from our domain but the message is undeliverable. When I run a report it shows the original_client_id as 255.255.255.255. Is that due to malware on our system? I've counted 4,600+ emails from postmaster@ourdomain we sent out to other email addresses during the last 90 days.

In addition, we have suspicious sign-in activity. Our Azure sign-in logs show one of our users signing in successfully from Nigeria. There are other users that are signing in successfully from other states. With the successful sign-ins that were not local, I forced a sign-out and changed their password. There are also a larger number of unsuccessful sign-in from different countries. Any ideas on the cause and what I can do to mitigate this? Thanks, Dave

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,206 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Dillon Silzer 52,736 Reputation points
    2022-07-15T16:50:51.577+00:00

    1) The postmaster is an external address meant for sending out "system-generated messages and notifications sent to message senders that exist outside your Microsoft Exchange Online organization."

    Configure the external postmaster address in Exchange Online

    https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/configure-external-postmaster-address

    2) To mitigate further attacks I would recommend you set up MFA for your organization as a good start. You cannot stop unsuccessful sign-in notifications as bots/people may be trying to attack that e-mail all the time (brute force, etc).

    Set up multifactor authentication for Microsoft 365

    https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide


    If this helps please mark as correct answer.

    0 comments No comments