RE: Exchange Servers Relaying Mail No matter what settings

From: Val Tuckett [MSFT] (valt_at_online.microsoft.com)
Date: 05/10/04 

Date: Mon, 10 May 2004 23:39:57 GMT

>I have a minimum of 3 clients that have Exchange 2000 or Exchange 2003 and
since about a week or two ago they are just relaying mail like crazy. No
configuration will stop it. The only one that doesn't relay has Mail
Marshal as front end.

Each Server has a Firewall with SMTP command Filtering in front.
All the Settings are good.
All patches are applied.

Possible New Bug. How to proceed...
>

It is possible an account within your environment(s) has been compromised
and are being used to relay e-mail as an 'authenticated user'.

To determine the account that is being used for authenticated relay on the
Exchange 2000/2003 Server, follow these steps:
   1. On the Exchange server, save and then clear all events in the
application log.
   2. Start the Exchange System Manager program.
   3. Go to the Properties of the Exchange 2000 Server
   4. Select the Diagnostic Logging tab
   5. Highlight MSExchangeTransport
   6 In the right pane, select SMTP PROTOCOL
   7. Click the MAXIMUM radial button at the bottom to enable maximum
logging for SMTP Protocol.
   8. To force the user to resend the username and password, restart the
SMTP Service.
   9. Examine the Application log and look for event 1708, this should show
you the account Auth Login event which will indicated that this account is
Authenticating with the Exchange server to send relayed e-mail from the
server.

         Event Type: Warning
         Event Source: MSExchangeTransport
         Event Category: SMTP Protocol
         Event ID: 1708
         Description: SMTP Authentication was performed successfully with
client
         "hostname". The authentication method was "LOGIN" and the
username was
         "Domain-or-Server\AccountName".

If this is occurring, to start with, enforce a reasonably secure account
policy for your domain, and re-set all user passwords.

Then verify your settings using the following articles:
Verified the server is not defined as a RELAY as per
    310380 HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in
Windows
    http://support.microsoft.com/?id=310380
OR if your using SBS
    324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server
SMTP
    http://support.microsoft.com/?id=324958

Regards,
Val 

----
Val Tuckett
Microsoft PSS
This posting is provided 'AS IS' with no warranties and confers no rights.
Please do not send email directly to this alias.  This alias is for 
newsgroup purposes only.