Solved

Unauthorized user logged into the SMTP server.

Posted on 2004-10-11
10
503 Views
Last Modified: 2008-02-01
I'm getting single named, unauthorized users in my Exchange 2003 SMTP connector for long periods of time.  I have, Anonymous, Basic Authentication, and Integrated Windows Authentication enables in my default SMTP settings.  what can I do to kill these user without killing all of my email.
0
Comment
Question by:dmalford
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 12274331
What is your smtp server doing? Like is it just there to receive email from other hosts, or is it there to  relay email for your domain?

Can you fill us in on some of the other settings - relay restrictions, if certain users are granted access or denied access, if relaying is enabled for domain.com or * or anything?

Probably the simplest measure you can take is to uncheck the "allow computers which authenticate to relay regardless of the list above" - that will stop anyone with a valid user/pass from relaying. It will however, stop authorised users from sending email via SMTP. If they send via Outlook (using exchange) or Outlook Web Access they'll be fine, but Outlook Express, Eudora et al will be hamstrung.
0
 
LVL 2

Expert Comment

by:Snodlander
ID: 12274376
Sounds like an open relay issue.

Go here to test your relay http://www.ordb.org/submit/
Post your results and more info re settings on SMTP server.
0
 

Author Comment

by:dmalford
ID: 12277101
The server has not been listed as an open relay and has passed the required tests.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12277298
From your description I discounted the OR theory - I think you need to force a password policy on the domain, and force all users to change their passwords and/or (preferably 'and') remove the authenticated relay from the Virtual SMTP server.

Oh, and an expert tip - try not to respond only to the last comment. You're more likely to get follow-up advice if you respond to each suggestion in turn.
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 1

Expert Comment

by:falconergyrperegrine
ID: 12281715
I think forcing a password policy on the domain is not the way to go!

You will not be able to recieve e-mail from anyone who does not log in to your server meaning e-mail flow into your organization will stop. This can be very bad for business.  

So here is what you can do.

1: Ignore it since it really does not hurt anything other than a small amount of bandwidth.

2: Go into your exchange system manager Expand Administrative Groups-First Administrative Group-"your Server Name"-Protocols-SMTP-Current Sessions

    Once you find affending user right click on the connection,write down the IP address , and Terminate it.

You can block this user in your SMTP settings:

To do this you can right click on your Default SMTP connection and click on properties.

Once you do this click on the Access Tab and then find Connection Control. Click on the Connection Button.

You will see the following.
                                    It will ask you to "select which computers may access this virtual server"
                                     You want to have the radio button "All except the list below checked"
                                     and below "Computers" you can add in the IP address of the offending connection.

Now you have blocked the offending connection.
 
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12281875
Falcon - there is nothing wrong with my suggestion. It will still allow inbound mail to the SMTP server, but it will prevent anyone using a stolen login and password from relaying through the server.

You do not need any form of relaying enabled to send mail to an SMTP server. None, nada, nix. You do not need a valid user/pass to send email to a domain. Spammers will use BRUTE FORCE methods to attempt to relay via SMTP servers - I've seen them doing it.

Blocking individual IP's is a waste of time and resources - spammers rarely use the same IP twice.

The only downside to removing authenticated relaying is that authorised users will be unable to send email using from a non-MAPI mail client, such as those I have already listed. dmalford has not chosen to fill us in on if that is required or not, but if it is then he has NO choice but to force a system-wide password change, and enforce a secure password policy.

I would suggest the password policy change as a matter of course - who knows what passwords have been hacked? Do you really think it is wise that he proceed with at least one compromised password in the system?
0
 
LVL 1

Expert Comment

by:falconergyrperegrine
ID: 12282008
I was thinking you where talking about forcing a password policy for the SMTP relay virtual server. My bad, hey we all make mistakes right! Especially when the wife calls.  I aggree with you that this person needs to force a password policy on the domain.

I would also highly suggest clearing the "allow users who authenticate to relay regardless of the list above". The way to find this is

in the SMTP properties under the access tab and the the relay tab.
0
 
LVL 2

Accepted Solution

by:
Snodlander earned 500 total points
ID: 12282723
Rather than blocking access to the SMTP virtual server via IP for each individual anomaly that shows up. You should be allowing ONLY machines with local IP addresses (or, in the case of multiple subnets, machines with a name *.yourdomain.com) to access your SMTP server. Deny everyone else even if authenticated by other means. As administrator you should be privy to knowing who exactly should be able to access your server, at least in terms of IP Addresses and Domain Name.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 14328471
I think my answer is the best, but Snodlander also has a valid response in #12282723

I would not argue if you decide to Delete/No refund as abandoned, either.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now