Re: Wierd Security log entries

From: don (dbweb2@premiersi.com)
Date: 02/13/03 

From: "don" <dbweb2@premiersi.com>
Date: Thu, 13 Feb 2003 10:15:32 -0500

Interesting development. I happened to look in the SMTP service log and
discovered these same entries are there. So, this says that Exchange is
being contacted by other SMTP servers and trying to authenticate themselves
with my server. By default, Exchange is set up for both "anonymous" and
"windows" authentication, so presumably anytime another Exchange server sent
me mail, they'd try (and fail) authentication with me. Evidently, they fall
back to anonymous and mail flows - but I'd get these events logged anyway.

By a lucky accident, I found the source of my "attacks".

Don

"smarcaurele" <smarcaurele@digitalproquo.com> wrote in message
news:02ea01c2d2f5$7e1d8700$3001280a@phx.gbl...
> Use network monitor preferably the SMS variety to trace
> where the bad logons are coming from - do you have
> internet access?
> >-----Original Message-----
> >Ever since building a Win2K server (with Exchange2K), I
> have been seeing
> >entries in the Security log that I cannot explain or
> figure out:
> >
> >They are Failure Audits, Event 529, Category
> Logon/Logoff
> >The Descriptions are like this (various names show up,
> this is one example):
> >Logon Failure:
> >
> >Reason: Unknown user name or bad password
> >
> >User Name: FALCON$
> >
> >Domain: BUTLER
> >
> >Logon Type: 3
> >
> >Logon Process: NtLmSsp
> >
> >Authentication Package: NTLM
> >
> >Workstation Name: FALCON
> >
> >
> >
> >I do not recognize the user (computer) names OR the
> domains listed. I have
> >a firewall and only allow smtp and www through it. I
> understand the meaning
> >of the event, but I cannot determine where these are
> coming from or where to
> >turn to find out more about them.
> >
> >
> >
> >help??
> >
> >
> >
> >thanks,
> >
> >
> >
> >don
> >
> >
> >.
> >

Relevant Pages

  • Re: Logon 529 Errors
    ... Authentication in SMTP virtual server. ... These are almost surely SMTP logon attempts, ... Caller User Name: DELLSERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: SMTP authentication in Exchange 2003
    ... Exchange server and another client PC in its own workgroup with Win XP ... Distribution List and used the "From authentication users only" option ... SMTP authentication in Outlook Express and send the message it is ...
    (microsoft.public.exchange.admin)
  • Re: Unable to Relay
    ... I'd also make sure you have smtp protocol logging enabled. ... Would it affect my Exchange ... It is obviously hitting some kind of authentication process, ... Default SMTP Virtual Server - Access Tab - Authentication ...
    (microsoft.public.exchange.admin)
  • Re: Unable to Relay
    ... I'd also make sure you have smtp protocol logging enabled. ... Would it affect my Exchange ... It is obviously hitting some kind of authentication process, ... Default SMTP Virtual Server - Access Tab - Authentication ...
    (microsoft.public.exchange.admin)
  • Re: Yikes! Is this a security issue I need to worry about?
    ... I think the break-in attempt is trying to authenticate during an SMTP connection, ... Those reports indicated that ADVAPI is the logon process used to validate smtp authentication requests. ... >> Caller User Name: SERVER$ ...
    (microsoft.public.windows.server.sbs)
Quantcast