Thanks!
Arch
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Date: 08/24/2008
Time: 11:18:07 AM
User: N/A
Computer: NOYDB
Description:
Inbound authentication failed with error LogonDenied for Receive connector
Default NOYDB. The authentication mechanism is Gssapi. The source IP address
of the client who tried to authenticate to Microsoft Exchange is
[68.99.116.190].
"Arch Willingham" <ar...@tuparks.com> wrote in message
news:%23OPWa3f...@TK2MSFTNGP02.phx.gbl...
>In the last 48 hours, I am getting tons of the errors shown below (event log
>of Exchange 2007 server). Any idea why they are just starting?
The IP address is assigned this name in the PTR record:
wsip-68-99-116-190.ks.ok.cox.net
It's probably an "always-on" machine in someone's home that's been
compromosed and is now part of a 'bot net.
---
Rich Matheisen
MCSE+I, Exchange MVP
Regards,
Charles
60.242.138.22
68.99.116.190
67.76.203.130
Arch
"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
news:ov73b4tpuog002dbq...@4ax.com...
Arch
"Charles Derber" <Charle...@discussions.microsoft.com> wrote in message
news:C95E3310-B734-4C5B...@microsoft.com...
>I'm gettign them from only a few addresses:
Sure . . . so far. :-)
Assuming your E2K7 server isn't advertising the XEXCH50 keyword in
replies to external EHLO commands, all it means is that there's
someone (or, more likely, something) doing the equivilant of going
from door to door and rattling doorknobs, looking for an open door (or
a weak password). It's nothing new.
>60.242.138.22
mail.rdav.asn.au
>68.99.116.190
wsip-68-99-116-190.ks.ok.cox.net
>67.76.203.130
oh-67-76-203-130.sta.embarqhsd.net