Exchange Server Log check

HI,
i have attached 3 Event log for smtp protocol which i took last night when in our organization only Exchange server was running, all other pc was shutdown.

Can any one tell me, what does this log mean ,

does it mean, any one succesfully send email via my server but it been refused from the Recevier SErver ??


compromised1.GIF
Compromised2.GIF
compromised3.GIF
LVL 29
fosiul01Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abdulzisCommented:
refer: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21100498.html

http://www.eventid.net/display.asp?eventid=7004&eventno=3510&source=MSExchangeTransport&phase=1

"From a newsgroup post: "If the only problem you are seeing is that XEXCH50 is being denied in some cases, but there is no mail flow problem, it sounds like everything is ok as long as XEXCH50 is only being denied from servers outside of your Exchange Organization and mail is still being received.
Exchange 2003 only accepts XEXCH50 protocol data from clients who authenticate and have been granted "Send As" permission on the receiving SMTP virtual server object in the AD. In this respect, Exchange 2003 behaves differently than Exchange 2000. Within a single Exchange organization, Exchange setup takes care of ensuring that all Exchange servers have the necessary "Send As" right on all of the SMTP virtual servers, through the ACL on the Exchange organization object in the AD which inherits down to all of the SMTP virtual server objects. Because of this, the XEXCH50 command should be properly sent and received between servers within a single Exchange organization. It is expected that Exchange 2003 will block inbound XEXCH50 data from other Exchange organizations by default, and in this regard, the fact that it is responding with "504 Need to authenticate first" is actually correct, if the remote server is not part of the same Exchange organization. If you are seeing this between servers in the same Exchange organization, that is potentially an authentication or ACLing problem that should be looked into. You can use “ADSIEdit.msc” to investigate the ACLs of the Exchange objects in the configuration container if you suspect that the necessary Exchange server security groups have not been granted the “Send As” access that they need on the SMTP virtual servers. If you are seeing this between servers in different Exchange organizations, it is normal expected behavior, and should not actually block mail flow. When Exchange 2003 rejects an inbound XEXCH50 attempt, it allows the client to continue without the XEXCH50 data. When Exchange 2000 or 2003 attempt to send an XEXCH50 command and are denied, they continue to try to send their message data".  
0
BertlingCommented:
looks like someone is trying to relay mail through you, this could be a user who is setup with pop3 and entered the wrong password.

do any of your users use pop3?
0
fosiul01Author Commented:
omnmm i read that before, but i didnot understand fully

right now my concerin is : if you check the log its 5 Am, i am seeing this log in my EVent log because :

1) my server is sending email to another server and another server is rejecting  ??
or)
2) another server is trying to send email to my server but myserver is rejecting ??

if its 2, then i am fine, but if it 1 then i am in troble.

i want to get confermation of 1 or 2 first
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

fosiul01Author Commented:
NO, we dont have any pop3 user . and at I said, its 5 am

about your comments : looks like someone is trying to relay mail through you, this could be a user who is setup with pop3 and entered the wrong password  = that mean, some is trying to send email via our server, but our server is rejcting ??


0
JoWickermanCommented:
Hi fosiul01,

Look at this article. It'll explain it beter:

http://support.microsoft.com/kb/843106

Let me know if this helped.

Cheers
0
BertlingCommented:
yes someone could be trying to reply mail. but you are not an open relay so there isnt much you can do to stop it apart from buying some king od intrusion protection and prevention.

but there isnt much point if it just this 1 small ussie that may not arrise again.

could be a legitimate user entering the wrong password
0
fosiul01Author Commented:
i have read that one before , and i did wat it said couple of month ago

but i am realy afraid, i just want to  a confermation first from some one ,  

either 1 or 2 for 3

1) my server is sending email to another server and another server is rejecting  ??
or)
2) another server is trying to send email to my server but myserver is rejecting ??

3)Or Some one is trying to send emil but due to no permission my server is jecting ??

0
BertlingCommented:
ok have ANY of your users said that they are not getting mail from some senders, and/or have your users said that thir mail is not getting to the addresses they try to send to.

if it is no then its not likly to be 1 or 2.

3 is possible
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fosiul01Author Commented:
Ok as i said, its at 5 am, my office open at 9 am

i have checked my server queue at 9 pm at night ( its was clear) event log clear

now when i checked at 8 am ( server queue is clear,) but in event log i saw those entries.

"ok have ANY of your users said that they are not getting mail from some senders, and/or have your users said that thir mail is not getting to the addresses they try to send to."

yes, its yesterday one of my user tryed to send email to one clients but in Event LOg i was getting same entry. i knew its valid reason, that email went through today.

but at 5 am, no body tryed from my office to send email to any one, so it must be some outside its trying to do.

as my server is not open realy.  

so what you think ?? so you are saying that some one trying to send email but it didnot realy due to permission ??

i just want to hear , did the server realyed the email or not ??

0
Michael WorshamStaff Infrastructure ArchitectCommented:
No, your server did not relay the e-mail. Whenever you see a '5.7.1 Unable to relay' message, then your system did not relay the message.

---

From the number of number of questions you have asked before, it sounds like your SBS server is exposed to the Internet directly. There is no one way to prevent your site from being hammered by script kiddies that are attempting to exploit your server. About the best you can do is to reduce the amount of spam that is sent your way.

One option you might be able to use is installing an open source Untangle appliance between your router and your SBS server. In bridged mode, the Untangle appliance can be configured to filter e-mail, do in-line anti-virus checking, handle anti-spyware, QoS, prevent/block certain protocols and/or certain sites from being accessed via its web filtering roles, thus relieving your SBS server from having to deal with the clutter.

Oh... and Untangle is also free.

Untangle Site:
http://www.untangle.com/

Untangle Product Overview:
http://www.untangle.com/index.php?option=com_content&task=view&id=86&Itemid=179
0
fosiul01Author Commented:
ommm no i am using Ipcop as firewall. and my server is behind that firewall.

i will have to think untagle , i will check today .
0
BertlingCommented:
you could always use appriver.com then set your firewall to ONLY accept inbountd mail from apprivers ip address that way no connections will ever get to the exchange server apart from appriver.

all your mail will be routed from them direct to your mailserver. also this will be filtered for spam and viruses etc
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.