Re: SMTPSVC warning messages in system log
From: Denis McDowell [MSFT] (denismcd_at_online.microsoft.com)
Date: 05/18/04
- Next message: Richard pbvmsf: "Re: Can send mail outside network but not receive"
- Previous message: Mark Fugatt [MVP]: "Re: Can send mail outside network but not receive"
- In reply to: dave: "Re: SMTPSVC warning messages in system log"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 18 May 2004 16:29:53 -0400
What you are seeing is NDR traffic for Spam messages sent into your domain
(for instance, Spam sent to john@yourdomain.com, john1@yourdomain.com,
john2@yourdomain.com, etc...). Check the Badmail directory
(exchsrvr\mailroot\vsi1). These files can be examined in Notepad and may
give you an idea into where the mail is coming from.
-- Denis McDowell [MSFT] "dave" <take@guess.com> wrote in message news:40AA4D2F.67B389E4@guess.com... > Thanks Denis. We are closed just fine. I did what you said, as far as enabling > SMTP logging. So far, I don`t see any 1708 messages, but I`ll keep an eye out. > We do have password complexity standards for our users which requires numbers > and letters plus atleast 6 digits, plus the guest account is disabled, and the > administrator account has a difficult password. In the meantime, should I just > delete the messages that are trying to get out? Is it possible this is just some > sort of glitch, or should I be concerned? > > > "Denis McDowell [MSFT]" wrote: > > > If you have verfied that you are closed to relay per > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;310380, then you may > > have a comprimised account that is being used for authentication. Turn SMTP > > Protocol Logging to Maximim in the Server > Diagnostics Logging and check > > for Event ID 1708. This event will identify the account being used. Common > > culprits are local administrator accounts with blank passwords, username = > > test\password = test, and others. > > > > -- > > Denis McDowell [MSFT] > > "dave" <take@guess.com> wrote in message news:40AA3959.74B1A1F0@guess.com... > > > This morning I came in to find a "system log is full" message on our > > > server screen. When I looked in the log, there are what looks like > > > hundreds of SMTPSVC warning messages with an event ID 4000. They are > > > happening every 2 minutes or so. All relaying is disabled for the SMTP > > > virtual server. Port 80 is closed at our firewall. The message in the > > > description box says "Message delivery to the remote domain > > > 'carefulchristianconsumer.com' failed for the following reason: The > > > remote server did not respond to a connection attempt." When I look in > > > the Exchange system under the SMTP virtual server Queues, I can see all > > > the domains listed that are mentioned in the warning messages. There are > > > > > > about 20 domains altogether, and each one has a total number of one > > > message, all of them from "postmaster@ourdomain.com". When I double > > > click on the messages and look at the details tab, the Status: says > > > "Retry". We are running Symantec Anti-Virus for gateways and keep it up > > > to date, and I just ran Windows Update last night. We also run Symantec > > > on our workstations, which are updated weekly. Should I just delete all > > > these messages, or do I have a major security issue on our hands? We are > > > > > > still able to send and receive emails in and out of office. There is > > > nothing unusual that I can see in Task Manager. Inetinfo is using about > > > 24MB of RAM. Disk space is pretty constant. > > > We are using Windows 2000SBS patched with the most recent updates. > > > Thanks. > > > >
- Next message: Richard pbvmsf: "Re: Can send mail outside network but not receive"
- Previous message: Mark Fugatt [MVP]: "Re: Can send mail outside network but not receive"
- In reply to: dave: "Re: SMTPSVC warning messages in system log"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
