Unauthorized user logged into the SMTP server.

Posted on 2004-10-11
Last Modified: 2008-02-01
I'm getting single named, unauthorized users in my Exchange 2003 SMTP connector for long periods of time.  I have, Anonymous, Basic Authentication, and Integrated Windows Authentication enables in my default SMTP settings.  what can I do to kill these user without killing all of my email.
Question by:dmalford
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 15

Expert Comment

ID: 12274331
What is your smtp server doing? Like is it just there to receive email from other hosts, or is it there to  relay email for your domain?

Can you fill us in on some of the other settings - relay restrictions, if certain users are granted access or denied access, if relaying is enabled for or * or anything?

Probably the simplest measure you can take is to uncheck the "allow computers which authenticate to relay regardless of the list above" - that will stop anyone with a valid user/pass from relaying. It will however, stop authorised users from sending email via SMTP. If they send via Outlook (using exchange) or Outlook Web Access they'll be fine, but Outlook Express, Eudora et al will be hamstrung.

Expert Comment

ID: 12274376
Sounds like an open relay issue.

Go here to test your relay
Post your results and more info re settings on SMTP server.

Author Comment

ID: 12277101
The server has not been listed as an open relay and has passed the required tests.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 15

Expert Comment

ID: 12277298
From your description I discounted the OR theory - I think you need to force a password policy on the domain, and force all users to change their passwords and/or (preferably 'and') remove the authenticated relay from the Virtual SMTP server.

Oh, and an expert tip - try not to respond only to the last comment. You're more likely to get follow-up advice if you respond to each suggestion in turn.

Expert Comment

ID: 12281715
I think forcing a password policy on the domain is not the way to go!

You will not be able to recieve e-mail from anyone who does not log in to your server meaning e-mail flow into your organization will stop. This can be very bad for business.  

So here is what you can do.

1: Ignore it since it really does not hurt anything other than a small amount of bandwidth.

2: Go into your exchange system manager Expand Administrative Groups-First Administrative Group-"your Server Name"-Protocols-SMTP-Current Sessions

    Once you find affending user right click on the connection,write down the IP address , and Terminate it.

You can block this user in your SMTP settings:

To do this you can right click on your Default SMTP connection and click on properties.

Once you do this click on the Access Tab and then find Connection Control. Click on the Connection Button.

You will see the following.
                                    It will ask you to "select which computers may access this virtual server"
                                     You want to have the radio button "All except the list below checked"
                                     and below "Computers" you can add in the IP address of the offending connection.

Now you have blocked the offending connection.
LVL 15

Expert Comment

ID: 12281875
Falcon - there is nothing wrong with my suggestion. It will still allow inbound mail to the SMTP server, but it will prevent anyone using a stolen login and password from relaying through the server.

You do not need any form of relaying enabled to send mail to an SMTP server. None, nada, nix. You do not need a valid user/pass to send email to a domain. Spammers will use BRUTE FORCE methods to attempt to relay via SMTP servers - I've seen them doing it.

Blocking individual IP's is a waste of time and resources - spammers rarely use the same IP twice.

The only downside to removing authenticated relaying is that authorised users will be unable to send email using from a non-MAPI mail client, such as those I have already listed. dmalford has not chosen to fill us in on if that is required or not, but if it is then he has NO choice but to force a system-wide password change, and enforce a secure password policy.

I would suggest the password policy change as a matter of course - who knows what passwords have been hacked? Do you really think it is wise that he proceed with at least one compromised password in the system?

Expert Comment

ID: 12282008
I was thinking you where talking about forcing a password policy for the SMTP relay virtual server. My bad, hey we all make mistakes right! Especially when the wife calls.  I aggree with you that this person needs to force a password policy on the domain.

I would also highly suggest clearing the "allow users who authenticate to relay regardless of the list above". The way to find this is

in the SMTP properties under the access tab and the the relay tab.

Accepted Solution

Snodlander earned 500 total points
ID: 12282723
Rather than blocking access to the SMTP virtual server via IP for each individual anomaly that shows up. You should be allowing ONLY machines with local IP addresses (or, in the case of multiple subnets, machines with a name * to access your SMTP server. Deny everyone else even if authenticated by other means. As administrator you should be privy to knowing who exactly should be able to access your server, at least in terms of IP Addresses and Domain Name.
LVL 15

Expert Comment

ID: 14328471
I think my answer is the best, but Snodlander also has a valid response in #12282723

I would not argue if you decide to Delete/No refund as abandoned, either.

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Read this checklist to learn more about the 15 things you should never include in an email signature.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question