Continuous EHLO and QUIT commands on SMTP log

Home Forums Server Operating Systems SBS 2000 / 2003 / 2008 / 2011 Continuous EHLO and QUIT commands on SMTP log

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    Omni
    Member
    #161600

    Recently on our exchange server 2003 the SMTP log file size keep increasing and found that there are continuous login attempts to the server.
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 15 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT – FS2-EXCHANGE 240 13797 76 10 7062 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT – FS2-EXCHANGE 240 13797 76 10 7062 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT – FS2-EXCHANGE 240 13719 76 10 6985 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT – FS2-EXCHANGE 240 13750 76 10 7000 SMTP – – – –
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT – FS2-EXCHANGE 240 13796 76 10 7062 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 15 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP – – – –
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO – +FS2-EXCHANGE 250 0 0 17 0 SMTP

    When checked the security logs there are numerous Failure Audit with event Id 529
    With description like below

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: melany
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: OPS-D01
    Caller User Name: OPS-D01$

    Is there any way to track from where this traffic originates from?

    Thanks in advance,
    Irene

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.