You must leave anonymous authentication on to allow SMTP to function. That is OK though, as Anonymous cannot relay...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
on a closed relay server, which Exchange Server 2003 is by default.
Also make sure that a strong password policy is implemented ASAP.
MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:
What are the steps for this problem under a Win2k server and Exchange 2000?
The steps are the same for Windows 2000/Exchange 2000 as they are for Windows 2003/Exchange 2003. If you are in fact being attacked follow these steps:
Find and fix the compromised account:
- Open Exchange System Manager and expand Organization -> Administrative Groups -> AdminGroupName -> and Servers containers.
- Right-click Server Name -> Properties, and click the Diagnostics Logging tab.
- Select MSExchangeTransport and set the logging level to maximum for all of the categories.
- Monitor the Application event log for event 1708; look for an authentication from an IP address/server name that is not in your organization.
- Enable Successful/Failure Account Login Attempts in the "Default Domain Controllers" GPO of your domain. Monitor the Security log for 680 events that occur as the same time as the suspect external mail server relays messages.
- Change the password for the compromised account. (Keep in mind that if one account has been compromised, it is likely that numerous accounts have been. The best thing to do might be to change all passwords.)
Blocking the spammer:
- Open the Exchange System Manager and go to Organization -> Administrative Groups -> Organizational Unit -> Servers -> ServerName -> Protocols -> SMTP.
- Right-click the Default SMTP Virtual Server and select Properties.
- Open the Access tab and click Authentication.
- Leave Anonymous access enabled, clear the Basic authentication and Integrated Windows Authentication checkboxes.
Richard Luckett, expert
I am not sure enforcing stong passwords alone may solve the problem. I am also experiencing the same problem -- in my case I can only get NDRs for e-mails that would have bounced. On opening the NDR, I discover that the e-mails will be directing the recepients to dubious Web sites. On doing IP queries on the sites, I have discovered the abusers are using IP addresses allocated to the Far East. I reported this, but the next thing you know, they've changed the IP address. How they manage to register my domain using a different IP address ... it surprises me.
Do you have comments on this Ask the Expert question and response? Let us know.
Dig Deeper on Spam and virus protection
Related Q&A from Richard Luckett
I have limited drive space on my Exchange Server but need to restore large mailboxes. Can I prevent mailbox restores from a recovery database by ...continue reading
I want to move from a single Exchange 2013 server to multiple servers, including multiple database and client access servers, for HA. What's the best...continue reading
My mailbox migration from Exchange 2010 to Exchange 2013 is moving very slowly. What might be causing this and how can I speed up the process?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.