Take a trace and identify the inbound packet with the info in it then get the IP address. I was getting some events and found that my ISP had some customers who were not filtering their exposed interface. Lots of NT traffic that shouldn't be there.
Of course, if the IP is in someplace like, say, Malaysia, then I'd call it an attempted hack. ----- Original Message ----- From: "Duane Purcell" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Sunday, February 24, 2002 6:01 PM Subject: RE: Exchange 2000 security The username, domain and workstation are not from our domain. This is the case for most of these events. They appear to other email servers - that's why I am under the impression (correctly or incorrectly) that this is caused during the SMTP communication. -----Original Message----- From: Tony Hlabse [mailto:[EMAIL PROTECTED]] Sent: Monday, 25 February 2002 10:25 AM To: Exchange Discussions Subject: Re: Exchange 2000 security Could be hacking or forgetful users. Try these Q articles. Q174073 Q174074 Q272594 ----- Original Message ----- From: "Duane Purcell" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Sunday, February 24, 2002 6:24 PM Subject: Exchange 2000 security I am seeing lots of security event ID's 529 Logon/Logoff on our exchange 2000 server. They look like other mail servers. Is this typical of an established SMTP connection between 2 servers, or a hacking attempt? Logon Failure: Reason: Unknown user name or bad password User Name: CORESMTP1$ Domain: EX Logon Type: 3 Logon Process: NtLmSsp Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: CORESMTP1 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
