Susan
Tue Sep 02 14:17:52 CDT 2003
What Damian is talking about ...if you have been messing with "guest"
account or you've got a dumb admin/admin username/password combo,
spammers are truly authenticating on your box and there is no amount of
security settings you can take as they are seen by the system as "users"
Damian N Leibaschoff [MSFT] wrote:
> Hi,
>
> Is the option to "Relay if Authenticated" checked in the SMTP virtual
> server?
>
> Also, do you have an SMTP Connector, if so, is the option within the Address
> Space tab to allow relaying (bottom checkbox) selected?
>
> If the first is true, then we can enable logging to see what account is
> being used to authenticate. The most important thing is to make sure that
> your GUEST account is disabled in AD Users & Computers. Also that all users
> have strong passwords.
>
> To enable logging, in the properties for your Exchange server (under Servers
> in Exchange System Manager), go to the Diagnostic Logging tab, select
> MsExchangeTransport on the left, and set Authentication to the Maximum on
> the right side. Ok the changes.
>
> Look for event id 1708 in the Application log, those events will show up if
> someone is authenticating through SMTP, it will also show the account being
> used in the description of the event.
> You may see similar events (different ID, same source/category) for failed
> attempts.
>
> Regards,
>
--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt