You must leave anonymous authentication on to allow SMTP to function. That is OK though, as Anonymous cannot relay on a closed relay server, which Exchange Server 2003 is by default.
Also make sure that a strong password policy is implemented ASAP.
MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:
What are the steps for this problem under a Win2k server and Exchange 2000?
The steps are the same for Windows 2000/Exchange 2000 as they are for Windows 2003/Exchange 2003. If you are in fact being attacked follow these steps:
Find and fix the compromised account:
- Open Exchange System Manager and expand Organization -> Administrative Groups -> AdminGroupName -> and Servers containers.
- Right-click Server Name -> Properties, and click the Diagnostics Logging tab.
- Select MSExchangeTransport and set the logging level to maximum for all of the categories.
- Monitor the Application event log for event 1708; look for an authentication from an IP address/server name that is not in your organization.
- Enable Successful/Failure Account Login Attempts in the "Default Domain Controllers" GPO of your domain. Monitor the Security log for 680 events that occur as the same time as the suspect external mail server relays messages.
- Change the password for the compromised account. (Keep in mind that if one account has been compromised, it is likely that numerous accounts have been. The best thing to do might be to change all passwords.)
Blocking the spammer:
- Open the Exchange System Manager and go to Organization -> Administrative Groups -> Organizational Unit -> Servers -> ServerName -> Protocols -> SMTP.
- Right-click the Default SMTP Virtual Server and select Properties.
- Open the Access tab and click Authentication.
- Leave Anonymous access enabled, clear the Basic authentication and Integrated Windows Authentication checkboxes.
Richard Luckett, expert
I am not sure enforcing stong passwords alone may solve the problem. I am also experiencing the same problem -- in my case I can only get NDRs for e-mails that would have bounced. On opening the NDR, I discover that the e-mails will be directing the recepients to dubious Web sites. On doing IP queries on the sites, I have discovered the abusers are using IP addresses allocated to the Far East. I reported this, but the next thing you know, they've changed the IP address. How they manage to register my domain using a different IP address ... it surprises me.
Do you have comments on this Ask the Expert question and response? Let us know.
Dig Deeper on Spam and virus protection
Related Q&A from Richard Luckett
When you're stumped on how to track email items following a central mailbox move, fix the dilemma by knowing what happens to items in mailboxes when ...continue reading
You can pull out the big guns to manually remove what's left of your failed Exchange Server from Active Directory, but it's best to consider ...continue reading
There are a number of actions to take to implement OWA security, including obvious ones like creating strong password policies. Admins should also ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.