Re: Logon 529 Errors
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 18 Nov 2008 17:09:26 -0500
Right. If you have ISA installed, you can create a query that looks for denied connections on port 25. I don't think there's anything useful for this in the IIS logs (they're in windows\system32\logfiles if you want to look).
Terry, for connection filtering, I use the Zen block list from http://www.spamhaus.org/index.lasso. I've been very happy with that, and it blocks a lot of spam - I performance monitor for this and in 24 days of uptime, it's blocked over 6400 connections. I believe that once a connection has been found (or not) on the black list, my DNS server caches the lookup, so that would be 6400 unique IP addresses that have been blocked in the 24 days.
Connection filtering is different from what inna is attempting, though - connection filtering applies to incoming mail, which is anonymous. Inna is attempting to log in to see if my server is configured to allow relay from authenticated users outside my domain. Connection filtering doesn't help with this.
"SteveB" <newsgroup@xxxxxxxxxx> wrote in message news:uPYK$3bSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Dave said ISA log not IIS log. Its probably unrealistic to think you can block IPs from all the many potential sources of these SMTP login attempts. Have strong passwords and uncheck the allow relay box as Dave said.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5261937F-FD0B-4874-93D2-41B51E3AC626@xxxxxxxxxxxxxxxxWhere can I check my IIS log?
Are you using a block list to block IP's on connection filtering? If so
which one are you using?
Thanks Again I am out of the office for today,
Terry
"Dave Nickason [SBS MVP]" wrote:
I don't know of any way to remedy this other than to block inna's IP
address. But, in looking at my ISA logs, I'm getting denied connections
from a pretty extensive list of IPs. I don't think it would be practical to
start blocking them all manually. I just made sure that in the relay
restrictions in my smtp virtual server, the box is not checked to allow
connections from any computer that authenticates. That way, even if inna
manages to come up with a working username and password combination, he/she
will not be able to send mail through my server.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01D3E4FF-E8C5-4B2A-BF21-E78E37C5503D@xxxxxxxxxxxxxxxx
> Steve Or Dave,
> Is there any wany of blocking inna?
>
> For the type 3 errors I was not receiving them until about 1 month > ago.
> Was
> there a windows update that changed something or can I change some
> settings
> on our pc's to eliminate the errors?
>
> Thanks for your responses!
>
> "SteveB" wrote:
>
>> Agree inna is very active out there.
>>
>> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message
>> news:ets4N4ZSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
>> > Logon type 3 is usually from elsewhere on your network. In this >> > case,
>> > I'll bet if you look in Task Manager, you'll find that Process ID >> > 2064
>> > is
>> > inetinfo.exe. See "Logon Type Codes Revealed" at
>> > http://www.windowsecurity.com/articles/Logon-Types.html
>> >
>> > These are almost surely SMTP logon attempts, and you can ignore >> > them.
>> > I've been getting several attempts a day from inna, who is >> > apparenty
>> > busily trying to find mail servers to relay through.
>> >
>> >
>> >
>> > "Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:5F868939-C077-493F-9D12-807D0D62C097@xxxxxxxxxxxxxxxx
>> >>I am receiving daily errors in my security logs for logon 529 >> >>errors.
>> >>Our
>> >> local tech said they are happening on our network and that they >> >> are
>> >> not
>> >> someone trying to hack into our system. I would like other >> >> opinions.
>> >> The
>> >> errors I am receiving are:
>> >>
>> >> Logon Failure:
>> >> Reason: Unknown user name or bad password
>> >> User Name: inna
>> >> Domain:
>> >> Logon Type: 3
>> >> Logon Process: Advapi
>> >> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >> Workstation Name: DELLSERVER
>> >> Caller User Name: DELLSERVER$
>> >> Caller Domain: DELLNET
>> >> Caller Logon ID: (0x0,0x3E7)
>> >> Caller Process ID: 2064
>> >> Transited Services: -
>> >> Source Network Address: -
>> >> Source Port: -
>> >>
>> >> Logon Failure:
>> >> Reason: Unknown user name or bad password
>> >> User Name:
>> >> Domain: DELLSERVER
>> >> Logon Type: 3
>> >> Logon Process: NtLmSsp
>> >> Authentication Package: NTLM
>> >> Workstation Name: DELLSERVER
>> >> Caller User Name: -
>> >> Caller Domain: -
>> >> Caller Logon ID: -
>> >> Caller Process ID: -
>> >> Transited Services: -
>> >> Source Network Address: 192.168.1.3
>> >> Source Port: 57596
>> >>
>> >>
>> >> Logon Failure:
>> >> Reason: Unknown user name or bad password
>> >> User Name:
>> >> Domain: DELLSERVER
>> >> Logon Type: 3
>> >> Logon Process: NtLmSsp
>> >> Authentication Package: NTLM
>> >> Workstation Name: DELLSERVER
>> >> Caller User Name: -
>> >> Caller Domain: -
>> >> Caller Logon ID: -
>> >> Caller Process ID: -
>> >> Transited Services: -
>> >> Source Network Address: 192.168.1.3
>> >> Source Port: 54894
>> >>
>> >>
>> >> Thanks,
>> >> Terry
>> >>
>> >>
>> >
>>
>>
>>
.
- Follow-Ups:
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- References:
- Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: SteveB
- Logon 529 Errors
- Prev by Date: Re: Outlook user defined fields value missing
- Next by Date: Re: Office Docs won't Open? and BU Drive not Recognized?
- Previous by thread: Re: Logon 529 Errors
- Next by thread: Re: Logon 529 Errors
- Index(es):
Relevant Pages
|
