Announcement

Collapse
No announcement yet.

Continuous EHLO and QUIT commands on SMTP log

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Continuous EHLO and QUIT commands on SMTP log

    Recently on our exchange server 2003 the SMTP log file size keep increasing and found that there are continuous login attempts to the server.
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 15 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - FS2-EXCHANGE 240 13797 76 10 7062 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - FS2-EXCHANGE 240 13797 76 10 7062 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - FS2-EXCHANGE 240 13719 76 10 6985 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - FS2-EXCHANGE 240 13750 76 10 7000 SMTP - - - -
    2013-05-26 18:33:54 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - FS2-EXCHANGE 240 13796 76 10 7062 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 15 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP - - - -
    2013-05-26 18:33:55 192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +FS2-EXCHANGE 250 0 0 17 0 SMTP

    When checked the security logs there are numerous Failure Audit with event Id 529
    With description like below

    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: melany
    Domain:
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: OPS-D01
    Caller User Name: OPS-D01$

    Is there any way to track from where this traffic originates from?

    Thanks in advance,
    Irene

  • #2
    Re: Continuous EHLO and QUIT commands on SMTP log

    The information you're looking for is in your log entry:

    192.168.2.188 FS2-EXCHANGE SMTPSVC1 OPS-D01 192.168.2.208

    One of these is the server ip address and one of these is the client ip address (the address that the connection is coming from).

    Comment


    • #3
      Re: Continuous EHLO and QUIT commands on SMTP log

      Thanks for looking into this issue.

      But out of these
      192.168.2.188 firewall IP

      OPS-D01 Server Name
      192.168.2.208 Server IP

      I don't know from where FS2-Exchange.

      Most of the time they are in same formats like
      2013-05-26 03:32:08 192.168.2.188 TS-SERVER SMTPSVC1 OPS-D01 192.168.2.208 0 EHLO - +TS-SERVER 250 0 0 14 0 SMTP - - - -
      2013-05-26 03:32:10 192.168.2.188 TS-SERVER SMTPSVC1 OPS-D01 192.168.2.208 0 QUIT - TS-SERVER 240 13281 76 10 6640 SMTP - - - -

      Log file full of these EHLO and QUIT messages

      Comment


      • #4
        Re: Continuous EHLO and QUIT commands on SMTP log

        Any suggestions/guidance please?

        My knowledge on exchange server is limited. Not able to figure out the cause behind this suspecious activity, worried if the server goes again under blacklist.

        We use fortigate as our firewall.

        Appreciating any help.

        Comment


        • #5
          Re: Continuous EHLO and QUIT commands on SMTP log

          Absolutely LOUSY QoS here today -- I mean, no reply in just over 3 hours. You really must ask for a refund on your joining fee. Oh, I forgot, there isn't a joining fee...

          All members give up their free time to help out if they can, but have real lives to lead also, so please do not expect instant responses to questions.

          If you require a quicker response, I suggest you contact Microsoft Product $upport $ervices, who have team$ of engineer$ just itching to help you out. Of course, there i$ one major difference between their $upport and here....
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Continuous EHLO and QUIT commands on SMTP log

            Sorry for being in such a hurry
            As mentioned I'm still learning basic system admin tasks I found this site a great resource of information and learnt so much from this site.
            A big thank you for all contributors!!

            Comment


            • #7
              Re: Continuous EHLO and QUIT commands on SMTP log

              If one is your firewall then start logging attempts on port 25 from there.

              Is your Exchange server an open relay?

              Comment

              Working...
              X