Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

Unauthorized user logged into the SMTP server.

I'm getting single named, unauthorized users in my Exchange 2003 SMTP connector for long periods of time.  I have, Anonymous, Basic Authentication, and Integrated Windows Authentication enables in my default SMTP settings.  what can I do to kill these user without killing all of my email.
0
dmalford
Asked:
dmalford
  • 4
  • 2
  • 2
  • +1
1 Solution
 
harleyjdCommented:
What is your smtp server doing? Like is it just there to receive email from other hosts, or is it there to  relay email for your domain?

Can you fill us in on some of the other settings - relay restrictions, if certain users are granted access or denied access, if relaying is enabled for domain.com or * or anything?

Probably the simplest measure you can take is to uncheck the "allow computers which authenticate to relay regardless of the list above" - that will stop anyone with a valid user/pass from relaying. It will however, stop authorised users from sending email via SMTP. If they send via Outlook (using exchange) or Outlook Web Access they'll be fine, but Outlook Express, Eudora et al will be hamstrung.
0
 
SnodlanderCommented:
Sounds like an open relay issue.

Go here to test your relay http://www.ordb.org/submit/
Post your results and more info re settings on SMTP server.
0
 
dmalfordAuthor Commented:
The server has not been listed as an open relay and has passed the required tests.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
harleyjdCommented:
From your description I discounted the OR theory - I think you need to force a password policy on the domain, and force all users to change their passwords and/or (preferably 'and') remove the authenticated relay from the Virtual SMTP server.

Oh, and an expert tip - try not to respond only to the last comment. You're more likely to get follow-up advice if you respond to each suggestion in turn.
0
 
falconergyrperegrineCommented:
I think forcing a password policy on the domain is not the way to go!

You will not be able to recieve e-mail from anyone who does not log in to your server meaning e-mail flow into your organization will stop. This can be very bad for business.  

So here is what you can do.

1: Ignore it since it really does not hurt anything other than a small amount of bandwidth.

2: Go into your exchange system manager Expand Administrative Groups-First Administrative Group-"your Server Name"-Protocols-SMTP-Current Sessions

    Once you find affending user right click on the connection,write down the IP address , and Terminate it.

You can block this user in your SMTP settings:

To do this you can right click on your Default SMTP connection and click on properties.

Once you do this click on the Access Tab and then find Connection Control. Click on the Connection Button.

You will see the following.
                                    It will ask you to "select which computers may access this virtual server"
                                     You want to have the radio button "All except the list below checked"
                                     and below "Computers" you can add in the IP address of the offending connection.

Now you have blocked the offending connection.
 
0
 
harleyjdCommented:
Falcon - there is nothing wrong with my suggestion. It will still allow inbound mail to the SMTP server, but it will prevent anyone using a stolen login and password from relaying through the server.

You do not need any form of relaying enabled to send mail to an SMTP server. None, nada, nix. You do not need a valid user/pass to send email to a domain. Spammers will use BRUTE FORCE methods to attempt to relay via SMTP servers - I've seen them doing it.

Blocking individual IP's is a waste of time and resources - spammers rarely use the same IP twice.

The only downside to removing authenticated relaying is that authorised users will be unable to send email using from a non-MAPI mail client, such as those I have already listed. dmalford has not chosen to fill us in on if that is required or not, but if it is then he has NO choice but to force a system-wide password change, and enforce a secure password policy.

I would suggest the password policy change as a matter of course - who knows what passwords have been hacked? Do you really think it is wise that he proceed with at least one compromised password in the system?
0
 
falconergyrperegrineCommented:
I was thinking you where talking about forcing a password policy for the SMTP relay virtual server. My bad, hey we all make mistakes right! Especially when the wife calls.  I aggree with you that this person needs to force a password policy on the domain.

I would also highly suggest clearing the "allow users who authenticate to relay regardless of the list above". The way to find this is

in the SMTP properties under the access tab and the the relay tab.
0
 
SnodlanderCommented:
Rather than blocking access to the SMTP virtual server via IP for each individual anomaly that shows up. You should be allowing ONLY machines with local IP addresses (or, in the case of multiple subnets, machines with a name *.yourdomain.com) to access your SMTP server. Deny everyone else even if authenticated by other means. As administrator you should be privy to knowing who exactly should be able to access your server, at least in terms of IP Addresses and Domain Name.
0
 
harleyjdCommented:
I think my answer is the best, but Snodlander also has a valid response in #12282723

I would not argue if you decide to Delete/No refund as abandoned, either.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now