tcampbell_nc
asked on
Event ID 1035 MSExchangeTransport LogonDenied
Just wanting a confirmation that this event log message is probably a hacker attempting to access one of my mail servers.
Application Log Warning
Event ID 1035
Task: SmtpReceive
Inbound anthentication failed with error LogonDenied for Receive connector Default <server name>. The anthenticaiton mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [80.86.254.21].
I have "who-is"'ed that address and it belongs to a network in Slovakia. We don't know anyone in Slovakia. Also, all our inbond mail comes from only one source (an outside SPAM filtering service) to which our DNS records point.
I have googled this and there seems to be some valid reasons for this message. I am thinking, however, that some enterprising individial in Slovakia is trying to gain access to our mail server.
If this is the general consensus, then I'll block that IP network on our firewall.
Thanks
Application Log Warning
Event ID 1035
Task: SmtpReceive
Inbound anthentication failed with error LogonDenied for Receive connector Default <server name>. The anthenticaiton mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [80.86.254.21].
I have "who-is"'ed that address and it belongs to a network in Slovakia. We don't know anyone in Slovakia. Also, all our inbond mail comes from only one source (an outside SPAM filtering service) to which our DNS records point.
I have googled this and there seems to be some valid reasons for this message. I am thinking, however, that some enterprising individial in Slovakia is trying to gain access to our mail server.
If this is the general consensus, then I'll block that IP network on our firewall.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you don't have any POP/IMAP clients then disable Exchange Users from the authentication tab - then they cannot relay email even if they were able to get a valid username and password.
Simon.