During the use of Exchange Server, we often need to analyze whether someone attacks or stolen accounts and whether there is a relay, especially when there is a large number of unknown messages that have occurred in SMTP queues, this situation needs to pass the system virus, Still being successful, and in your confirmation of the relay starting Exchange Server, you need to check if the account is stolen or password leak. Record the SMTP verification process to help you, this article will explain how to enable the application Logs to record verification processes (regardless of success or failure) through Exchange Server SMTP:
One
Enter log function
Open Exchange System Manager (EMS)
2. Select "Administrative Groups" -> "Frist Administrative Group" -> Servers -> ServerName (server name) ", right click to select the attribute.
3. Click "Diagnostics Logging" tab
4. Click "MSExchangeTransport" on the left "Services" column
5. Click "SMTP Protocol" (SMTP protocol) in the "Categories" column on the right.
6. Select "Maximum" in the bottom "Logging Level" (Log Level)
7. Click the "OK" window to complete the setting. As shown below:
(Figure 1 Exchange 2003 Server setting interface)
(Figure 2 Exchange 2000 Server Settings Interface)
two. How to understand these logs:
When some users are sending messages to the SMTP, they need authentication before they need to see events similar to the following contents (you can use "Administrative Tools" -> "Event Viewer" in the application log. :
First log situation
Event Type: InformationEvent Source: MSExchangeTransport Event Category: SMTP Protocol Event ID: 1708 Date: 10/15/2004 Time: 8: 13: 24 AM User: N / A Computer: SERVERDescription: SMTP Authentication was performed successfully with client remote_computername.The Authentication Method Was Login and the username was company / username.
In this log, if the relay looks from the attacked account password, please delete the account in the Active Directory "User and Computer" or disable the account or change the password of the account.
2. Second log situation:
Event Type: Information Event Source: MSExchangeTransport Event Category: SMTP Protocol Event ID: 1708 Date: 10/15/2004 Time: 8: 27: 52 AM User: N / A Computer: SERVER Description: SMTP Authentication was performed successfully with client remote_computername .THE Authentication Method Was Login and The UserName Was Company / Guest.
In this log, the remote user uses a guest account. Please use the Active Directory "User and Computers" to disable guest accounts, pay attention to be disabled, not only change the password of the guest account. Because today helping a friend remotely checks an Exchange Server, it is necessary for this to operate, so it is simple to write and share. Please refer to you. If you have any questions, please pay the following address reply: http://www.5dmail.net/bbs/announce/announce.asp? BoardId = 35 & id = 59102
