Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Many new errors saying "Inbound authentication failed with error LogonDenied for Receive connector"

5,278 views
Skip to first unread message

Arch Willingham

unread,
Aug 24, 2008, 11:26:58 AM8/24/08
to
In the last 48 hours, I am getting tons of the errors shown below (event log
of Exchange 2007 server). Any idea why they are just starting?

Thanks!

Arch

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1035
Date: 08/24/2008
Time: 11:18:07 AM
User: N/A
Computer: NOYDB
Description:
Inbound authentication failed with error LogonDenied for Receive connector
Default NOYDB. The authentication mechanism is Gssapi. The source IP address
of the client who tried to authenticate to Microsoft Exchange is
[68.99.116.190].

Ed Crowley [MVP]

unread,
Aug 24, 2008, 12:23:19 PM8/24/08
to
Do you recognize that address or is it out on the Internet? It looks like
someone is trying to hack your SMTP service to use for sending spam. But
that's just a guess.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"Arch Willingham" <ar...@tuparks.com> wrote in message
news:%23OPWa3f...@TK2MSFTNGP02.phx.gbl...

Rich Matheisen [MVP]

unread,
Aug 24, 2008, 1:55:43 PM8/24/08
to
On Sun, 24 Aug 2008 11:26:58 -0400, "Arch Willingham"
<ar...@tuparks.com> wrote:

>In the last 48 hours, I am getting tons of the errors shown below (event log
>of Exchange 2007 server). Any idea why they are just starting?

The IP address is assigned this name in the PTR record:
wsip-68-99-116-190.ks.ok.cox.net

It's probably an "always-on" machine in someone's home that's been
compromosed and is now part of a 'bot net.
---
Rich Matheisen
MCSE+I, Exchange MVP

Charles Derber

unread,
Aug 24, 2008, 6:32:01 PM8/24/08
to

Please check this link for this issue. i hope it must solve.
http://www.eggheadcafe.com/software/aspnet/30547218/event-id--1035-showing-u.aspx

Regards,
Charles

Arch Willingham

unread,
Aug 24, 2008, 9:53:18 PM8/24/08
to
I'm gettign them from only a few addresses:

60.242.138.22
68.99.116.190
67.76.203.130


Arch


"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
news:ov73b4tpuog002dbq...@4ax.com...

Arch Willingham

unread,
Aug 24, 2008, 9:54:08 PM8/24/08
to
I saw that but why would I need to change all that when its been workign
fine for a year?

Arch
"Charles Derber" <Charle...@discussions.microsoft.com> wrote in message
news:C95E3310-B734-4C5B...@microsoft.com...

Rich Matheisen [MVP]

unread,
Aug 24, 2008, 10:15:35 PM8/24/08
to
On Sun, 24 Aug 2008 21:53:18 -0400, "Arch Willingham"
<ar...@tuparks.com> wrote:

>I'm gettign them from only a few addresses:

Sure . . . so far. :-)

Assuming your E2K7 server isn't advertising the XEXCH50 keyword in
replies to external EHLO commands, all it means is that there's
someone (or, more likely, something) doing the equivilant of going
from door to door and rattling doorknobs, looking for an open door (or
a weak password). It's nothing new.


>60.242.138.22
mail.rdav.asn.au

>68.99.116.190
wsip-68-99-116-190.ks.ok.cox.net

>67.76.203.130
oh-67-76-203-130.sta.embarqhsd.net

0 new messages