RE: How do I stop...
From: Gayle Heizer [MSFT] (gaylehei_at_online.microsoft.com)
Date: 11/10/04
- Next message: Mike: "my outlook xpress thinks i'm replying directly to internal exchnanger server"
- Previous message: Sc00by: "External Email"
- In reply to: HELPME: "How do I stop..."
- Next in thread: HELPME: "RE: How do I stop..."
- Reply: HELPME: "RE: How do I stop..."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Nov 2004 21:15:35 GMT
It sounds like it is time to change passwords and enforce strong passwords.
Make sure you don't have a guest account enabled or a test account with a
blank password.
If spammers can get a username and password, then they can do authenticated
spam.
NDR's to your users doesn't mean it came from inside your organization.
They just used their email addresses in the from field and when they got
returned it went to your users. I have had this happen to me.
Start with this article:
310380 How To Prevent Exchange 2000 from Being Used as a Mail Relay in
Windows
http://support.microsoft.com/?id=310380
Follow each link to learn and check your exchange server so you can make
sure you are locked down.
To Determine Whether an Authenticated User is Relaying
---------------------------------------------------
This section enables logging in the Windows Event Viewer such that any
authentication attempts against the SMTP service (successful or failures)
are logged in the application log.
1. Start Exchange Administrator.
2. Double-click "Servers".
3. Under "Servers", right-click <ServerName>, and then click
"Properties".
4. Click the "Diagnostic Logging" tab.
5. Click "MSExchangeTransport" on the left.
6. On the right, click "SMTP Protocol".
7. Under "Logging Level", click "Maximum".
8. Click "OK" to close "Server Properties".
If a remote user is authenticating against the Exchange Server computer as
part of an operation to relay SMTP e-mail, you will see an event that is
similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client
<remote_computername>. The authentication method was <LOGIN> and the
username was <company\username>.
In this case, if the relaying appears to come from a hacked account
password, go to the Active Directory Users and Computers snap-in and delete
the account, disable the account, or change the password on the account.
I hope this helps.
Gayle
- Next message: Mike: "my outlook xpress thinks i'm replying directly to internal exchnanger server"
- Previous message: Sc00by: "External Email"
- In reply to: HELPME: "How do I stop..."
- Next in thread: HELPME: "RE: How do I stop..."
- Reply: HELPME: "RE: How do I stop..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
