Re: Logon 529 Errors
- From: "SteveB" <newsgroup@xxxxxxxxxx>
- Date: Wed, 19 Nov 2008 07:17:56 -0800
Default SMTP Virtual Server properties-Access tab-Relay
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AA2DCA1B-B364-4F03-A21D-D237F9D54670@xxxxxxxxxxxxxxxx
Dave,
I would like to check the SMTP settings you suggested earlier for the
relay
settings. I am not sure where they are located. I am using Small Business
server 2003. Can you tell me the location of the settings to check?
Thanks,
Terry
"Dave Nickason [SBS MVP]" wrote:
Right. If you have ISA installed, you can create a query that looks for
denied connections on port 25. I don't think there's anything useful for
this in the IIS logs (they're in windows\system32\logfiles if you want to
look).
Terry, for connection filtering, I use the Zen block list from
http://www.spamhaus.org/index.lasso. I've been very happy with that, and
it
blocks a lot of spam - I performance monitor for this and in 24 days of
uptime, it's blocked over 6400 connections. I believe that once a
connection has been found (or not) on the black list, my DNS server
caches
the lookup, so that would be 6400 unique IP addresses that have been
blocked
in the 24 days.
Connection filtering is different from what inna is attempting, though -
connection filtering applies to incoming mail, which is anonymous. Inna
is
attempting to log in to see if my server is configured to allow relay
from
authenticated users outside my domain. Connection filtering doesn't help
with this.
"SteveB" <newsgroup@xxxxxxxxxx> wrote in message
news:uPYK$3bSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Dave said ISA log not IIS log. Its probably unrealistic to think you
can
block IPs from all the many potential sources of these SMTP login
attempts. Have strong passwords and uncheck the allow relay box as Dave
said.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5261937F-FD0B-4874-93D2-41B51E3AC626@xxxxxxxxxxxxxxxx
Where can I check my IIS log?
Are you using a block list to block IP's on connection filtering? If
so
which one are you using?
Thanks Again I am out of the office for today,
Terry
"Dave Nickason [SBS MVP]" wrote:
I don't know of any way to remedy this other than to block inna's IP
address. But, in looking at my ISA logs, I'm getting denied
connections
from a pretty extensive list of IPs. I don't think it would be
practical
to
start blocking them all manually. I just made sure that in the relay
restrictions in my smtp virtual server, the box is not checked to
allow
connections from any computer that authenticates. That way, even if
inna
manages to come up with a working username and password combination,
he/she
will not be able to send mail through my server.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01D3E4FF-E8C5-4B2A-BF21-E78E37C5503D@xxxxxxxxxxxxxxxx
Steve Or Dave,
Is there any wany of blocking inna?
For the type 3 errors I was not receiving them until about 1 month
ago.
Was
there a windows update that changed something or can I change some
settings
on our pc's to eliminate the errors?
Thanks for your responses!
"SteveB" wrote:
Agree inna is very active out there.
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote
in
message
news:ets4N4ZSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Logon type 3 is usually from elsewhere on your network. In this
case,
I'll bet if you look in Task Manager, you'll find that Process
ID
2064
is
inetinfo.exe. See "Logon Type Codes Revealed" at
http://www.windowsecurity.com/articles/Logon-Types.html
These are almost surely SMTP logon attempts, and you can ignore
them.
I've been getting several attempts a day from inna, who is
apparenty
busily trying to find mail servers to relay through.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:5F868939-C077-493F-9D12-807D0D62C097@xxxxxxxxxxxxxxxx
I am receiving daily errors in my security logs for logon 529
errors.
Our
local tech said they are happening on our network and that they
are
not
someone trying to hack into our system. I would like other
opinions.
The
errors I am receiving are:
Logon Failure:
Reason: Unknown user name or bad password
User Name: inna
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DELLSERVER
Caller User Name: DELLSERVER$
Caller Domain: DELLNET
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2064
Transited Services: -
Source Network Address: -
Source Port: -
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: DELLSERVER
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DELLSERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.3
Source Port: 57596
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain: DELLSERVER
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DELLSERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.3
Source Port: 54894
Thanks,
Terry
.
- Follow-Ups:
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- References:
- Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: Terry1337
- Logon 529 Errors
- Prev by Date: SBS2003 C: Space Question
- Next by Date: Re: Restore on to new Hardware
- Previous by thread: Re: Logon 529 Errors
- Next by thread: Re: Logon 529 Errors
- Index(es):
Relevant Pages
|
