Event ID 529...900+ times...a cause for worry? 1

[wahnula]

Hello,

I was greeted by this report that there were 922 errors in my Security log of my SBS2003 SP1 Premium:

**START** Security 529 2/27/2007 2:07 PM 922 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: abusefully
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: xxxx2
Caller User Name: xxxx2$
Caller Domain: xxxx
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1200
Transited Services: -
Source Network Address: -
Source Port: -**END**

NOTE: xxxx is my domain.

All attempts were made within a few minutes, and with various usernames. My tech (MCSE), that sold me my sonicwall, shrugged it off as an SMTP spam attack, but I am still concerned.

All clients have A/V as well as gateway A/V on sonicwall. Is there a way in SBS to block a certain IP after X number of failed logins? I do not have ISA installed, as per his advice.

Tony

 

[ShackDaddy]

There are a bunch of non-worrisome things that can cause this. And it could also be someone trying to authenticate to your server and failing.

Your SonicWall rep was right: it's probably either a user who had pointed his IMAP/POP client at your server and tried to authenticate, or its another Exchange server out there that is trying to open an authenticated SMTP session to your server.

What's the workstation name that you obscured? Was it your domain name?

There's not a lot to be worried about. Even if you had ISA running, you'd probably still get the same messages, since ISA isn't going to block authentication attempts to SMTP. And no, there's no way to block it with the hardware that you have without purchasing some sort of custom SMTP security add-on. I wouldn't worry about it if I were you. I'd just make sure that your users have strong passwords, and that your Admin account password is complex.

ShackDaddy
Shackelford Consulting

 

[wahnula]

ShackDaddy,

The workstation's name is not the same as the internal domain name, but it is the same as the DDNS domain used for email. For example, the machine's name is BOBS2, the internal domain is BOBS, and the DDNS domain is

http://www.BOBS2.com.

None of these is our published Website address,

http://www.bobsgizmosandgadgets.com

Thanks for the reassurance. On with more pressing problems.

BOB lol

 

[ShackDaddy]

I was asking about the workstation name because there are two or three things that can happen on the internal domain that will generate those messages that have nothing to do with anyone trying to get away with anything.

Just to give one example, if you logged on to an internal workstation as its LOCAL admin account instead of a domain account, sometimes the workstation will attempt a bunch of connections to the domain controller and fail with this event number because the logged on user is not an authenticated one. And the KB that describes that behaviors says to just ignore it.

ShackDaddy
Shackelford Consulting

 

[wahnula]

ShackDaddy,

I believe this was a real attack as each of the 922 Security events featured a different username trying to log on. "abusefully" was the last one, there were 921 other, unique names (well at least the 100 or so I flipped through were all unique). Of course admin, guest, and administrator were on the list. We have Password Policies enforced and the Admin passphrase is especially strong. I guess this is why. Thrill of the day.

Tony, er, BOB