Re: Logon 529 Errors
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Nov 2008 11:38:01 -0500
In ESM, expand Servers -> YourSBS -> Protocols and select SMTP. In the right pane, r-click the Default SMTP Virtual Server -> Properties. On the Access tab, click Relay. I have the SBS's internal IP and 127.0.0.1, and the check box at the bottom is cleared (allow computers which successfully authenticate to relay). There's a good chance this is what you'll find on your own server, but I can't remember whether or not that box is checked by default.
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2D63A840-B831-42E8-ACEB-1D43DE114EF8@xxxxxxxxxxxxxxxx
Steve,
Are you working on SBS 2003? I open the ESM and go to servers and do a right
click for properties and do not see the Access tab. Is there another way to
access the SMTP?
Thanks,
Terry
"SteveB" wrote:
Default SMTP Virtual Server properties-Access tab-Relay
"Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AA2DCA1B-B364-4F03-A21D-D237F9D54670@xxxxxxxxxxxxxxxx
> Dave,
>
> I would like to check the SMTP settings you suggested earlier for the
> relay
> settings. I am not sure where they are located. I am using Small > Business
> server 2003. Can you tell me the location of the settings to check?
>
> Thanks,
> Terry
>
> "Dave Nickason [SBS MVP]" wrote:
>
>> Right. If you have ISA installed, you can create a query that looks >> for
>> denied connections on port 25. I don't think there's anything useful >> for
>> this in the IIS logs (they're in windows\system32\logfiles if you want >> to
>> look).
>>
>> Terry, for connection filtering, I use the Zen block list from
>> http://www.spamhaus.org/index.lasso. I've been very happy with that, >> and
>> it
>> blocks a lot of spam - I performance monitor for this and in 24 days >> of
>> uptime, it's blocked over 6400 connections. I believe that once a
>> connection has been found (or not) on the black list, my DNS server
>> caches
>> the lookup, so that would be 6400 unique IP addresses that have been
>> blocked
>> in the 24 days.
>>
>> Connection filtering is different from what inna is attempting, >> though -
>> connection filtering applies to incoming mail, which is anonymous. >> Inna
>> is
>> attempting to log in to see if my server is configured to allow relay
>> from
>> authenticated users outside my domain. Connection filtering doesn't >> help
>> with this.
>>
>>
>> "SteveB" <newsgroup@xxxxxxxxxx> wrote in message
>> news:uPYK$3bSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
>> > Dave said ISA log not IIS log. Its probably unrealistic to think you
>> > can
>> > block IPs from all the many potential sources of these SMTP login
>> > attempts. Have strong passwords and uncheck the allow relay box as >> > Dave
>> > said.
>> >
>> > "Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:5261937F-FD0B-4874-93D2-41B51E3AC626@xxxxxxxxxxxxxxxx
>> >> Where can I check my IIS log?
>> >>
>> >> Are you using a block list to block IP's on connection filtering? >> >> If
>> >> so
>> >> which one are you using?
>> >>
>> >> Thanks Again I am out of the office for today,
>> >> Terry
>> >>
>> >> "Dave Nickason [SBS MVP]" wrote:
>> >>
>> >>> I don't know of any way to remedy this other than to block inna's >> >>> IP
>> >>> address. But, in looking at my ISA logs, I'm getting denied
>> >>> connections
>> >>> from a pretty extensive list of IPs. I don't think it would be
>> >>> practical
>> >>> to
>> >>> start blocking them all manually. I just made sure that in the >> >>> relay
>> >>> restrictions in my smtp virtual server, the box is not checked to
>> >>> allow
>> >>> connections from any computer that authenticates. That way, even >> >>> if
>> >>> inna
>> >>> manages to come up with a working username and password >> >>> combination,
>> >>> he/she
>> >>> will not be able to send mail through my server.
>> >>>
>> >>> "Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >>> news:01D3E4FF-E8C5-4B2A-BF21-E78E37C5503D@xxxxxxxxxxxxxxxx
>> >>> > Steve Or Dave,
>> >>> > Is there any wany of blocking inna?
>> >>> >
>> >>> > For the type 3 errors I was not receiving them until about 1 >> >>> > month
>> >>> > ago.
>> >>> > Was
>> >>> > there a windows update that changed something or can I change >> >>> > some
>> >>> > settings
>> >>> > on our pc's to eliminate the errors?
>> >>> >
>> >>> > Thanks for your responses!
>> >>> >
>> >>> > "SteveB" wrote:
>> >>> >
>> >>> >> Agree inna is very active out there.
>> >>> >>
>> >>> >> "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> >> >>> >> wrote
>> >>> >> in
>> >>> >> message
>> >>> >> news:ets4N4ZSJHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
>> >>> >> > Logon type 3 is usually from elsewhere on your network. In >> >>> >> > this
>> >>> >> > case,
>> >>> >> > I'll bet if you look in Task Manager, you'll find that >> >>> >> > Process
>> >>> >> > ID
>> >>> >> > 2064
>> >>> >> > is
>> >>> >> > inetinfo.exe. See "Logon Type Codes Revealed" at
>> >>> >> > http://www.windowsecurity.com/articles/Logon-Types.html
>> >>> >> >
>> >>> >> > These are almost surely SMTP logon attempts, and you can >> >>> >> > ignore
>> >>> >> > them.
>> >>> >> > I've been getting several attempts a day from inna, who is
>> >>> >> > apparenty
>> >>> >> > busily trying to find mail servers to relay through.
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> > "Terry1337" <Terry1337@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >>> >> > message
>> >>> >> > news:5F868939-C077-493F-9D12-807D0D62C097@xxxxxxxxxxxxxxxx
>> >>> >> >>I am receiving daily errors in my security logs for logon 529
>> >>> >> >>errors.
>> >>> >> >>Our
>> >>> >> >> local tech said they are happening on our network and that >> >>> >> >> they
>> >>> >> >> are
>> >>> >> >> not
>> >>> >> >> someone trying to hack into our system. I would like other
>> >>> >> >> opinions.
>> >>> >> >> The
>> >>> >> >> errors I am receiving are:
>> >>> >> >>
>> >>> >> >> Logon Failure:
>> >>> >> >> Reason: Unknown user name or bad password
>> >>> >> >> User Name: inna
>> >>> >> >> Domain:
>> >>> >> >> Logon Type: 3
>> >>> >> >> Logon Process: Advapi
>> >>> >> >> Authentication Package: >> >>> >> >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> >>> >> >> Workstation Name: DELLSERVER
>> >>> >> >> Caller User Name: DELLSERVER$
>> >>> >> >> Caller Domain: DELLNET
>> >>> >> >> Caller Logon ID: (0x0,0x3E7)
>> >>> >> >> Caller Process ID: 2064
>> >>> >> >> Transited Services: -
>> >>> >> >> Source Network Address: -
>> >>> >> >> Source Port: -
>> >>> >> >>
>> >>> >> >> Logon Failure:
>> >>> >> >> Reason: Unknown user name or bad password
>> >>> >> >> User Name:
>> >>> >> >> Domain: DELLSERVER
>> >>> >> >> Logon Type: 3
>> >>> >> >> Logon Process: NtLmSsp
>> >>> >> >> Authentication Package: NTLM
>> >>> >> >> Workstation Name: DELLSERVER
>> >>> >> >> Caller User Name: -
>> >>> >> >> Caller Domain: -
>> >>> >> >> Caller Logon ID: -
>> >>> >> >> Caller Process ID: -
>> >>> >> >> Transited Services: -
>> >>> >> >> Source Network Address: 192.168.1.3
>> >>> >> >> Source Port: 57596
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> Logon Failure:
>> >>> >> >> Reason: Unknown user name or bad password
>> >>> >> >> User Name:
>> >>> >> >> Domain: DELLSERVER
>> >>> >> >> Logon Type: 3
>> >>> >> >> Logon Process: NtLmSsp
>> >>> >> >> Authentication Package: NTLM
>> >>> >> >> Workstation Name: DELLSERVER
>> >>> >> >> Caller User Name: -
>> >>> >> >> Caller Domain: -
>> >>> >> >> Caller Logon ID: -
>> >>> >> >> Caller Process ID: -
>> >>> >> >> Transited Services: -
>> >>> >> >> Source Network Address: 192.168.1.3
>> >>> >> >> Source Port: 54894
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> Thanks,
>> >>> >> >> Terry
>> >>> >> >>
>> >>> >> >>
>> >>> >> >
>> >>> >>
>> >>> >>
>> >>> >>
>> >>>
>> >>>
>> >
>> >
>>
>>
.
- References:
- Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Dave Nickason [SBS MVP]
- Re: Logon 529 Errors
- From: Terry1337
- Re: Logon 529 Errors
- From: SteveB
- Re: Logon 529 Errors
- From: Terry1337
- Logon 529 Errors
- Prev by Date: Re: SBS2003 icons description
- Next by Date: Re: SBS2003 C: Space Question
- Previous by thread: Re: Logon 529 Errors
- Next by thread: Re: Logon 529 Errors
- Index(es):
Relevant Pages
|
