Enable and analyze Exchange SMTP authentication records
Source: Internet
Author: User
During the use of the exchange server, we often need to analyze whether there are attacks, account theft, and relay, especially when there are a large number of unknown emails in the SMTP queue, in this case, you need to analyze whether the system is infected with viruses or relay. When you confirm that the exchange server relay is not started, you need to check whether the account has been stolen or the password has been leaked. record the SMTP verification process to help you. This article describes how to enable application logs to record the process of trying to verify through Exchange Server SMTP (whether successful or failed) and how to understand these logs: i. enable log function 1. enable Exchange System Manager (EMS) 2. select "administrative groups"-> "frist Administrative Group"-> "servers"-> "servername (server name of exchange)", right-click to select attributes. 3. click the "diagnostics logging" tab 4. click "msexchangetransport" 5 in the "services" column on the left. click "SMTP protocol" (SMTP protocol) 6 in the "categories" column on the right. select "maximum" (Highest Level) 7 in the "logging level" (log level) at the bottom. click OK to complete the settings. For example: (Figure 1 setting interface of the Exchange 2003 Server) (Figure 2 setting interface of the Exchange 2000 Server) 2. How to understand these logs: when a user is sending an email to the SMTP connection, authentication is required before, this record will show events similar to the following in the Application Log (you can view them through "Administrative Tools"-> "Event Viewer"): 1. event Type: Information
Event Source: msexchangetransport
Event category: SMTP protocol
Event ID: 1708
Date: 10/15/2004
Time: 8: 13: 24 am
User: N/
COMPUTER: Server
Description: SMTP authentication was completed MED successfully with client Remote_computername. The authentication method was LoginAnd the username was Company/Username. In this log, if the relay seems to be from the attacked account password, go to Active Directory "user and computer" to delete the account, disable the account, or change the password of the account. 2. Second log condition: Event Type: Information
Event Source: msexchangetransport
Event category: SMTP protocol
Event ID: 1708
Date: 10/15/2004
Time: 8: 27: 52 AM
User: N/
COMPUTER: Server
Description: SMTP authentication was completed MED successfully with client Remote_computername. The authentication method was LoginAnd the username was Company/guestIn this log, the remote user uses the Guest account. Use Active Directory "user and computer" to disable guest accounts. Note that this is disabled rather than just changing the Guest account password. Today, I want to help a friend remotely check an Exchange Server and need this operation, so I wrote and shared it easily. Please correct me. If you have any questions, please reply at the following address:
Http://www.5dmail.net/bbs/Announce/announce.asp? Boardid = 35 & id = 59102
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.