RE: IMC Error - Again
Probably someone is trying to hack. Have you tried to investigate who this IP address could be? I just checked it and it seems to belong to some Korean comrades. Not to say that they are all bad guys but recently there has been a lot of spam coming from them. Maybe you should put an explicit deny connection for this address. whois whois.arin.net 128.134.25.180: OrgName:Korea Telecom OrgID: KOREAT NetRange: 128.134.0.0 - 128.134.255.255 CIDR: 128.134.0.0/16 NetName:SDN NetHandle: NET-128-134-0-0-1 Parent: NET-128-0-0-0-0 NetType:Direct Assignment NameServer: NS.KORNET.NET NameServer: NS.KAIST.AC.KR Comment: RegDate:1986-06-30 Updated:1996-05-15 TechHandle: YL71-ARIN TechName: Lee, Young-il TechPhone: 82-2-766-5900 TechEmail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 10:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MOMSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
Someone tried to send e-mail using authenticated relay and the authentication failed. Are you seeing a slew of these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MO MSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
I've seen two, there may have been three, of these. Not ongoing. -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:31 AM To: Exchange Discussions Subject: RE: IMC Error - Again Someone tried to send e-mail using authenticated relay and the authentication failed. Are you seeing a slew of these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MO MSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
At this point, I'd probably just watch it and if I were the curious type I might keep a list of Ips as well... And if it because a more frequent event, I might follow Andrey's advice and block the specific IPs in question. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:50 AM To: Exchange Discussions Subject: RE: IMC Error - Again I've seen two, there may have been three, of these. Not ongoing. -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:31 AM To: Exchange Discussions Subject: RE: IMC Error - Again Someone tried to send e-mail using authenticated relay and the authentication failed. Are you seeing a slew of these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MO MSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: IMC Error - Again
Could well be a Netscape user; the version before the current one, with patches, would improperly try to do AUTH if it saw that tag in response to the EHLO command. - Original Message - From: [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 9:04 AM Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MOMSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
That IP address belongs in Korea. Do you have anyone that would be legitimately connecting with Netscape from Korea? -Original Message- From: Daniel Chenault [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 11:52 AM To: Exchange Discussions Subject: Re: IMC Error - Again Could well be a Netscape user; the version before the current one, with patches, would improperly try to do AUTH if it saw that tag in response to the EHLO command. - Original Message - From: [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 9:04 AM Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MOMSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
Netscape being the server product rather than the client. -Original Message- From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 1:29 PM To: Exchange Discussions Subject: RE: IMC Error - Again That IP address belongs in Korea. Do you have anyone that would be legitimately connecting with Netscape from Korea? -Original Message- From: Daniel Chenault [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 11:52 AM To: Exchange Discussions Subject: Re: IMC Error - Again Could well be a Netscape user; the version before the current one, with patches, would improperly try to do AUTH if it saw that tag in response to the EHLO command. - Original Message - From: [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 9:04 AM Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MO MSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
Thanks, a place to start. -Original Message- From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:30 AM To: Exchange Discussions Subject: RE: IMC Error - Again Probably someone is trying to hack. Have you tried to investigate who this IP address could be? I just checked it and it seems to belong to some Korean comrades. Not to say that they are all bad guys but recently there has been a lot of spam coming from them. Maybe you should put an explicit deny connection for this address. whois whois.arin.net 128.134.25.180: OrgName:Korea Telecom OrgID: KOREAT NetRange: 128.134.0.0 - 128.134.255.255 CIDR: 128.134.0.0/16 NetName:SDN NetHandle: NET-128-134-0-0-1 Parent: NET-128-0-0-0-0 NetType:Direct Assignment NameServer: NS.KORNET.NET NameServer: NS.KAIST.AC.KR Comment: RegDate:1986-06-30 Updated:1996-05-15 TechHandle: YL71-ARIN TechName: Lee, Young-il TechPhone: 82-2-766-5900 TechEmail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 10:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MOMSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: IMC Error - Again
I'll do that. Thanks for your help. Dot -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 10:00 AM To: Exchange Discussions Subject: RE: IMC Error - Again At this point, I'd probably just watch it and if I were the curious type I might keep a list of Ips as well... And if it because a more frequent event, I might follow Andrey's advice and block the specific IPs in question. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:50 AM To: Exchange Discussions Subject: RE: IMC Error - Again I've seen two, there may have been three, of these. Not ongoing. -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:31 AM To: Exchange Discussions Subject: RE: IMC Error - Again Someone tried to send e-mail using authenticated relay and the authentication failed. Are you seeing a slew of these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 9:04 AM To: Exchange Discussions Subject: IMC Error - Again I'm reposting this again, being pushed here to find an answer for it. Does this error seem to suggest that someone is trying to get into our smtp server? This is no evenid listed for this one. Severity: Error Status: New Source: MSExchangeIMC Name: Authentication attempt (AUTH %1) from %2 failed: %3() call failed with error: %4 Description: Authentication attempt (AUTH ntlm) from 128.134.25.180 failed: HrAccept() call failed with error: Logon failure: unknown user name or bad password. Domain: BLAIRNET Agent: EXCHSMTP1 Time: 10/03/2002 01:53:45 Owner: (view with http://MOMSRV/OnePointOperations/PropertySheet.asp?database=MO MSRVtarget={4 35762EC-BAA2-4DA8-867F-5122101127FD}t=alert) Thanks, Dot Harris _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]