You must leave anonymous authentication on to allow SMTP to function. That is OK though, as Anonymous cannot relay...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
on a closed relay server, which Exchange Server 2003 is by default.
Also make sure that a strong password policy is implemented ASAP.
MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:
What are the steps for this problem under a Win2k server and Exchange 2000?
The steps are the same for Windows 2000/Exchange 2000 as they are for Windows 2003/Exchange 2003. If you are in fact being attacked follow these steps:
Find and fix the compromised account:
- Open Exchange System Manager and expand Organization -> Administrative Groups -> AdminGroupName -> and Servers containers.
- Right-click Server Name -> Properties, and click the Diagnostics Logging tab.
- Select MSExchangeTransport and set the logging level to maximum for all of the categories.
- Monitor the Application event log for event 1708; look for an authentication from an IP address/server name that is not in your organization.
- Enable Successful/Failure Account Login Attempts in the "Default Domain Controllers" GPO of your domain. Monitor the Security log for 680 events that occur as the same time as the suspect external mail server relays messages.
- Change the password for the compromised account. (Keep in mind that if one account has been compromised, it is likely that numerous accounts have been. The best thing to do might be to change all passwords.)
Blocking the spammer:
- Open the Exchange System Manager and go to Organization -> Administrative Groups -> Organizational Unit -> Servers -> ServerName -> Protocols -> SMTP.
- Right-click the Default SMTP Virtual Server and select Properties.
- Open the Access tab and click Authentication.
- Leave Anonymous access enabled, clear the Basic authentication and Integrated Windows Authentication checkboxes.
Richard Luckett, expert
I am not sure enforcing stong passwords alone may solve the problem. I am also experiencing the same problem -- in my case I can only get NDRs for e-mails that would have bounced. On opening the NDR, I discover that the e-mails will be directing the recepients to dubious Web sites. On doing IP queries on the sites, I have discovered the abusers are using IP addresses allocated to the Far East. I reported this, but the next thing you know, they've changed the IP address. How they manage to register my domain using a different IP address ... it surprises me.
Do you have comments on this Ask the Expert question and response? Let us know.
Dig Deeper on Spam and virus protection
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views.continue reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ...continue reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.