|
Home > Archive > IIS Server Security > March 2005 > SMTSVC ?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| razornt 2005-03-25, 6:02 pm |
| Someone is trying to hack our server via SMTPSVC. When I view the event log
(system) I see Event ID 100 SMTPSVC and a login attempt. However, when I try
to match the Event log time with the SMTPSVC log time nothing matches. I want
to block the IP Address of this potential intruder. How do I find the IP
Address of this potential intruder?
SMTPSVC extended property logs are turned on with client ip, date and time,
server ip and server port and also user name.
Default SMTP virtual server
No relay (only the list below) "There is no list"
Basic and Windows Security package are checked for Authentication
Thanks in advance.
| |
| Jeff Cochran 2005-03-25, 8:49 pm |
| On Fri, 25 Mar 2005 13:45:05 -0800, "razornt"
<razornt@discussions.microsoft.com> wrote:
>Someone is trying to hack our server via SMTPSVC. When I view the event log
>(system) I see Event ID 100 SMTPSVC and a login attempt. However, when I try
>to match the Event log time with the SMTPSVC log time nothing matches.
Are you accounting for the offset from GMT? The SMTP logs are in GMT,
Event logs are usually in local time.
Jeff
> I want
>to block the IP Address of this potential intruder. How do I find the IP
>Address of this potential intruder?
>
>SMTPSVC extended property logs are turned on with client ip, date and time,
>server ip and server port and also user name.
>
>Default SMTP virtual server
>No relay (only the list below) "There is no list"
>Basic and Windows Security package are checked for Authentication
>
>Thanks in advance.
| |
| razornt 2005-03-28, 6:18 pm |
| Thanks Jeff. That makes sense. I check into right away.
"Jeff Cochran" wrote:
> On Fri, 25 Mar 2005 13:45:05 -0800, "razornt"
> <razornt@discussions.microsoft.com> wrote:
>
>
> Are you accounting for the offset from GMT? The SMTP logs are in GMT,
> Event logs are usually in local time.
>
> Jeff
>
>
>
>
| |
| Leon Mayne [MVP] 2005-03-28, 6:18 pm |
| razornt wrote:
> Someone is trying to hack our server via SMTPSVC. When I view the
> event log (system) I see Event ID 100 SMTPSVC and a login attempt.
> However, when I try to match the Event log time with the SMTPSVC log
> time nothing matches. I want to block the IP Address of this
> potential intruder. How do I find the IP Address of this potential
> intruder?
As long as your permissions are set up OK you don't really have to worry.
Spammers are usually scanning for open relays and relays with simple
authentication (e.g. username 'user', password 'password') to send spam
through. If they don't succeed quickly they'll just try another server. SMTP
logs on any platform are always full of hack attempts.
|
|
|
|
|