Unauthorized user logged into the SMTP server.

Posted on 2004-10-11
Last Modified: 2008-02-01
I'm getting single named, unauthorized users in my Exchange 2003 SMTP connector for long periods of time.  I have, Anonymous, Basic Authentication, and Integrated Windows Authentication enables in my default SMTP settings.  what can I do to kill these user without killing all of my email.
Question by:dmalford
  • 4
  • 2
  • 2
  • +1
LVL 15

Expert Comment

ID: 12274331
What is your smtp server doing? Like is it just there to receive email from other hosts, or is it there to  relay email for your domain?

Can you fill us in on some of the other settings - relay restrictions, if certain users are granted access or denied access, if relaying is enabled for or * or anything?

Probably the simplest measure you can take is to uncheck the "allow computers which authenticate to relay regardless of the list above" - that will stop anyone with a valid user/pass from relaying. It will however, stop authorised users from sending email via SMTP. If they send via Outlook (using exchange) or Outlook Web Access they'll be fine, but Outlook Express, Eudora et al will be hamstrung.

Expert Comment

ID: 12274376
Sounds like an open relay issue.

Go here to test your relay
Post your results and more info re settings on SMTP server.

Author Comment

ID: 12277101
The server has not been listed as an open relay and has passed the required tests.
LVL 15

Expert Comment

ID: 12277298
From your description I discounted the OR theory - I think you need to force a password policy on the domain, and force all users to change their passwords and/or (preferably 'and') remove the authenticated relay from the Virtual SMTP server.

Oh, and an expert tip - try not to respond only to the last comment. You're more likely to get follow-up advice if you respond to each suggestion in turn.
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!


Expert Comment

ID: 12281715
I think forcing a password policy on the domain is not the way to go!

You will not be able to recieve e-mail from anyone who does not log in to your server meaning e-mail flow into your organization will stop. This can be very bad for business.  

So here is what you can do.

1: Ignore it since it really does not hurt anything other than a small amount of bandwidth.

2: Go into your exchange system manager Expand Administrative Groups-First Administrative Group-"your Server Name"-Protocols-SMTP-Current Sessions

    Once you find affending user right click on the connection,write down the IP address , and Terminate it.

You can block this user in your SMTP settings:

To do this you can right click on your Default SMTP connection and click on properties.

Once you do this click on the Access Tab and then find Connection Control. Click on the Connection Button.

You will see the following.
                                    It will ask you to "select which computers may access this virtual server"
                                     You want to have the radio button "All except the list below checked"
                                     and below "Computers" you can add in the IP address of the offending connection.

Now you have blocked the offending connection.
LVL 15

Expert Comment

ID: 12281875
Falcon - there is nothing wrong with my suggestion. It will still allow inbound mail to the SMTP server, but it will prevent anyone using a stolen login and password from relaying through the server.

You do not need any form of relaying enabled to send mail to an SMTP server. None, nada, nix. You do not need a valid user/pass to send email to a domain. Spammers will use BRUTE FORCE methods to attempt to relay via SMTP servers - I've seen them doing it.

Blocking individual IP's is a waste of time and resources - spammers rarely use the same IP twice.

The only downside to removing authenticated relaying is that authorised users will be unable to send email using from a non-MAPI mail client, such as those I have already listed. dmalford has not chosen to fill us in on if that is required or not, but if it is then he has NO choice but to force a system-wide password change, and enforce a secure password policy.

I would suggest the password policy change as a matter of course - who knows what passwords have been hacked? Do you really think it is wise that he proceed with at least one compromised password in the system?

Expert Comment

ID: 12282008
I was thinking you where talking about forcing a password policy for the SMTP relay virtual server. My bad, hey we all make mistakes right! Especially when the wife calls.  I aggree with you that this person needs to force a password policy on the domain.

I would also highly suggest clearing the "allow users who authenticate to relay regardless of the list above". The way to find this is

in the SMTP properties under the access tab and the the relay tab.

Accepted Solution

Snodlander earned 500 total points
ID: 12282723
Rather than blocking access to the SMTP virtual server via IP for each individual anomaly that shows up. You should be allowing ONLY machines with local IP addresses (or, in the case of multiple subnets, machines with a name * to access your SMTP server. Deny everyone else even if authenticated by other means. As administrator you should be privy to knowing who exactly should be able to access your server, at least in terms of IP Addresses and Domain Name.
LVL 15

Expert Comment

ID: 14328471
I think my answer is the best, but Snodlander also has a valid response in #12282723

I would not argue if you decide to Delete/No refund as abandoned, either.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OS X Mail will not connect to Microsoft Hosted Exchange 7 45
Can't send to contact 6 41
Doubt. 2 57
Outlook importing calendar entries 6 65
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now