Users are flooded with NDR emails (GraphTransactionItem)

Copper Contributor

Hello! We desperately need help in determining where thousands of NDR emails are coming from. This is Exchange Online only, not a hybrid deployment. 

About a month ago all mailboxes on one of the domains started receiving NDR emails with a subject similart to this: "Undeliverable: GraphTransactionItem:gti gti.TransactionId:8ab6ade9-1783-4d96-xxxx-b7a2b1df83fb gti.Name:UpdateSecondaryShallowCopy”. The transaction names sometimes are different, and so far we got emails with 4 types of Graph transactions:

• PropagateActionToSubscribers
• UpdateSecondaryShallowCopy
• DeleteSecondaryShallowCopy
• PublicRelationshipNodePropagation.

 

Microsoft Support engineers have no idea what is going on and how to resolve this issue, and our users are getting very impatient since they all are receiving thousands of NDR emails per week.

 

We tried to create transport rules to stop those emails but somehow they have no effect, and so does the NDR backscatter setting.

 

All emails are sent from Microsoft Outlook
<MicrosoftExchange329e71ec88ae4615bbc36ab6ce99999e@domainname.onmicrosoft.com> and all users on that domain receive them. There are also multiple addresses similar to this SPO_Arbitration_d91eee03-1846-9999-ab71-8b51cdb7f4df@domainname.onmicrosoft.com to which the GraphTransactionItem emails are sent but fail to be delivered (#Receive, Fail). This has made me think that it has something to do with arbitration mailboxes. I’m not an Exchange expert, my specialty is SharePoint, so I could only guess. But hopefully this will make sense to someone and this mistery will be solved! :)

 

If this might helps, I can provide a sample of the NDR email.

 

Elena.

8 Replies

Can you post the support incident number? This might help some of the Exchange engineers look into the problem.

 

It certainly seems like something odd is happening somewhere along the line... The name "graph transaction item" might make you think that it has something to do with providing the Office Graph with some data, but it could be something completely different!

Our open support ticket # is 617010594021142. There's also this thread addressing the same issue, but no solution so far. 

I just had an email also go out with GraphTransactionItem in the subject. No body. It was sent from my email address, though, and that is strange. We only saw this one, I guess we'll hold off on a ticket unless we see a second?

One of my users is reporting this today. I can pull the message in the search center, no info in it at all, and just the weird subject line. Users think they are being spoofed.

I just had a few more of these this week coming from my email address. I have no clue what these are. 

I had an email go out to some of my colleagues with the subject GraphTransactionItem:gti gti.TransactionId:b724c242-5606-41b5-8666-b5b0ce9c78e6 gti.Name:PropagateItemUpdate

 

I just want to know what is this, this email was not in my sent items.

Same for me. I made a ticket with Microsoft, and they ultimately said, "It came from you, it's your problem". They still come through every once in awhile. Mine sends to like 7 people or so, and it's always the same people. Don't know what the correlation is though.