Also take a look at http://www.microsoft.com/exchange/techinfo/interop/55.asp for some great upgrade scenario information.
Ideally you will want to start out with an enviroment that represents what you have today, and then figure out the steps you need to go through to get to what you want...
Since its NTLM, its less likely to be a worm (should have picked up that before). Does he have any POP/IMAP accounts configured with either Outlook or Outlook express?
You either have delegated rights or you are using an account that has rights to view that mailbox.
It does not work like that when (default) permissions are set correctly.
If you authenticated, then you are allowed to relay by default. That check box allows anonymous people to relay to that address space.
If you created an address space of aol.com, then yes, 3rd parties can relay aol.com to your new server (not to AOL) as long as you specify a smarthost rather...
Its much easer then sendmail (unless you are using the access db)! :)
Here's a basic configuration:
Start Exchange System Manager (ESM)
Right click on Connectors folder and select New SMTP Connector
Set the name
Change the delivery to smart host, and add the name or ip (use [] for IP's to skip...
The first step is to examine the recieved headers of a delayed message to figure out where the message was queued up.
Once you have that information you can start figuring out exactally where to start looking.
Sbass2 - That is quite possible. But I've also seen people reporting non-guest/admin accounts being compromised that had strong passwords. Since W32.swen asks for this information, its the best target at this point, especially for the non-generic account compromise scenarios.
Its also...
The machine is probably infected with W32.swen.a@mm worm.
Check out http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html for details
Based on my testing, 1707 events are what you get when you have failed logons. Too bad there is no information as to who they were trying to authenticate as. Exchange 5.5 has both success and failed events that are much easier to audit.
BTW - Its very likely that one of your end users is...
I betcha this is the w32.swen.a@mm.html
See http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html for details.
Check out step 12 for why I think its this virus. It is prompting infected users for authentication information.
If this indeed a Virus/Worm and your topology DOES NOT require end users to submit to your internet facing machines via SMTP, then I would highly recommend turning off authenticated relay!
For those that have been hit by this (I have not), do you see lots of failed logon attempts? I would...
mmonti - that is the WRONG approach
Someone has figured out the password to one of your accounts and is using it to authenticate. The correct solution is to figure out which account is compromised and either disable it or set a strong password on it.
A compromised password can be used for...
KBADMIN -
\administrator is the local machine administrator
Unfortunately I don't have any NT4 boxes around anymore, so I can give you details on how to change the password/disable the local administrator account, but look on the box itself for a local Administrator account.
Hopefully someone...
Check the Exchange 5.5 Forum for a detailed answer to your question. You most likely have an account that has a weak password that a spammer has figured out. They are able to relay because by default authenticated users are able to relay.
Exact steps for Exchange 5.5:
Start->Programs->Microsoft Exchange->Microsoft Exchange Administrator
Connect to your Org
Find your internet facing server
Select its properties (either select it and type <alt><enter> or hit the property button)
Select the Diagnostics Logging Tab
Select...
Turn your Diagnostic logging to Maximum for MSExchangeIMC -> SMTP Interface Events.
Look at all SMTP Interface Events in the Event logs. Look for both 2010 Events (successful login) for accounts that SHOULD NOT BE AUTHENTICATING as well as 4183 Events (failed login). It appears that what ever...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.