Lots of Events on MSExchangeTransport

Discussion in 'Windows Small Business Server' started by Louie Landkirk, Jan 5, 2006.

  1. I was recently informed by my ISP that I am sending a lot of SPAM that
    contains Phishing attacks. I looked at all of the MSKB articles regarding
    securing exchange server and locking down the network. I turned up logging
    to max and have bee receiving the following events in the application log:

    EventID: 7010

    This is an SMTP protocol log for virtual server ID 1, connection #48. The
    client at "216.170.17.26" sent a "xexch50" command, and the SMTP server
    responded with "504 Need to authenticate first ". The full command sent was
    "xexch50 1008 2". This will probably cause the connection to fail.

    My first question is how do I view the "connection" referenced in the event
    log i.e. how do I view connection #48? Second, how can I stop this? I have
    locked down my firewall, locked down my exchange server, I don't know what
    else to do. My IP has been blocked on a lot of blacklists but I don't want
    to request it be removed until I have figured out where the backdoor to my
    system is that is letting people send spam off my IP address. I have also
    isolated my server and all computers from the internet and run a full virus
    scan and spyware scan on everything.

    I am finally at my last resort because I have tried everything I know of to
    analyze this thing. Thank you for your time.
     
    Louie Landkirk, Jan 5, 2006
    #1
    1. Advertisements

  2. Dear Customer,

    Thank you for posting to the SBS Newsgroup.

    I understand that you are informed by your ISP that your Exchange Server is
    sending a lot of spam emails, and you also notice Event ID 7010 is recorded
    on SBS Server. If I have misunderstood your issue, please let me know.

    Based on my experience, we need many log files to analyze and time to
    troubleshoot this issue. At this stage, we are not sure whether Event ID
    7010 is related to spam emails. So please take your time to read through
    my following information, perform the steps and gather the log files for
    further research:

    =======

    Suggestion:

    Regarding Event ID 7010, please check whether you have enabled Integrated
    Windows Authentication on the SMTP virtual servers on the Exchange Server.
    For detailed information and suggestions, please see following KB article:

    843106 How to troubleshoot the "504 need to authenticate first" SMTP
    protocol error
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;843106

    =======

    1. Please check whether there is anybody trying to relay through your
    Exchange Server. I strongly suggest that you read through following two KB
    articles:

    To secure your Exchange server, please refer to the following KB article:

    324958 How to block open SMTP relaying and clean up Exchange Server SMTP
    queues
    http://support.microsoft.com/?id=324958

    Check if your SBS server is under Reverse NDR Attack by referring to the
    following KB article:

    886208 Exchange queues fill with many non-delivery reports from the
    postmaster
    http://support.microsoft.com/?id=886208

    2. Do you have any issue when send/receive internal/external email in the
    SBS network?

    3. Is there any other issue related with exchange you are experiencing?

    4. Please check if you use DNS or Smart Host on Exchange Server? To do so,

    a. Open Exchange System Manager.

    b. Expand to Routing Groups\Connetors\SmallBusiness SMTP connector.

    c. Right click SmallBusiness SMTP connector, select Properties.

    d. On the General tab, do you select "Use DNS to route to each address
    space...­" or "Forward all mail through this connector to...­"?

    5. Please help me to gather the Message Tracking Log. To do so, please
    refer to the KB article 821910 below:

    821910 How to troubleshoot for Exchange Server 2003 transport issues
    http://support.microsoft.com/?id=821910#XSLTH3149121121120121120120

    Please take your time to read through all my suggestions and gather the
    information for further research. I am looking forward to hearing from you!

    Best regards,

    Brandy Nee

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
     
    Brandy Nee [MSFT], Jan 6, 2006
    #2
    1. Advertisements

  3. Dear Customer,

    Just a follow up. Please send all the log files to my mailbox:
    .

    Thank you for your time!

    Best regards,

    Brandy Nee

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
     
    Brandy Nee [MSFT], Jan 6, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.