Nope. You'll probably have to correlate the 1708 events with the smtp events by timestamp.
________________________________ From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:33 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Ok I under ExchangeTransport, I enabled SMTP logging and set it to maximum. Will the affected host show up with a 1708 EventId like the username showed up in? Thanks again... ________________________________ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Wednesday, July 29, 2009 1:26 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question +1. My bet is that you have an internal machine that's been infected/pwned and its spewing spam as fast as it can via an authentication to your internal Exchange server. Shook From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, July 29, 2009 1:23 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question I'd turn on protocol logging. I'm betting it's coming from another machine, and it's messing with you by reporting it's hostname as being [127.0.0.1]. ________________________________ From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:16 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question It is very strange that it is only for one particular user. They are the only one authenticating in the event log. ________________________________ From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxxxxxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ********************************************************************** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ********************************************************************** ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ************************************************************************************************** ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **************************************************************************************************