We have been having problems related to unsuccessful attempts to relay e-mail through our Exchange server, or at least, that is what I believe is the root cause. We get a series of several thousand events with ID 529 in our Security event log over a period of a few hours, generally on a weekend, such as the following:
3/14/2011 7:02:27 AM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OURSERVER "Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2232 [NOTE: This is inetinfo.exe]
Transited Services: -
Source Network Address: -
Source Port: -
These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.
This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:
2011-03-14 00:01:58 220.127.116.11 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
2011-03-14 00:02:29 18.104.22.168 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -
To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.
My question: Is there anything we can do to prevent such attacks from locking out our users?
I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?
We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.