RE: event id 13004
Title: Message Yeah, that was the only article I found when searching. We have no clue who or where the IP is coming from. Thats why I wondered if it could be a worm trying to do something or a hacker. Ive never seen this before on my server and no one is having problems with email on my friends server. Not that big of a deal since it doesnt seem to do anything other than fill up the log, but weird nonetheless. -Original Message- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:56 PM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Have you checked this article out? http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q220905 So you know where that IP is coming from? Remote user? There is nothing to fear but fear itself. -Franklin D. Roosevelt -Original Message- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 7:01 AM To: MS-Exchange Admin Issues Subject: event id 13004 A friend of mine has the following error on his Exchange 5.5 Server. Is this the work of one of the worms out there or a hacker or neither? Also, is there an easy way to block this IP on the Exchange Server? Event ID: 13004 Source: MSExchange POP3 Logon attempt from 65.104.120.212 has failed: AcceptSecurityContext() call failed with error Access denied. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: event id 13004
Title: Message Is it a constant connection attempt? Have you tried tracerting to the address to see where it goes? It's basically an authentication failure for someone trying to POP their mail. Could be someone's PDA at home configured to tryconnecting to the server to download their mail. Otherwise, dunno. I would think you would see what account was failing its credentials. I've never seen that specific error on any of my servers. D -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:13 AMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Yeah, that was the only article I found when searching. We have no clue who or where the IP is coming from. That's why I wondered if it could be a worm trying to do something or a hacker. I've never seen this before on my server and no one is having problems with email on my friend's server. Not that big of a deal since it doesn't seem to do anything other than fill up the log, but weird nonetheless. -Original Message-From: Don Ely [mailto:[EMAIL PROTECTED]]Sent: Friday, November 30, 2001 1:56 PMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Have you checked this article out? http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q220905 So you know where that IP is coming from? Remote user? "There is nothing to fear but fear itself." -Franklin D. Roosevelt -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 7:01 AMTo: MS-Exchange Admin IssuesSubject: event id 13004 A friend of mine has the following error on his Exchange 5.5 Server. Is this the work of one of the worms out there or a hacker or neither? Also, is there an easy way to block this IP on the Exchange Server? Event ID: 13004 Source: MSExchange POP3 Logon attempt from 65.104.120.212 has failed: AcceptSecurityContext() call failed with error Access denied. List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: event id 13004
Title: Message We tracerouted it to some place in Cali by Orange and Santa Ana. It just times out when it gets there. I had my friend log into his account with POP3 and use an incorrect password to see what that error looked likeand it of course gives his login name and says incorrect username or bad password. Because that was what I originally though it was too. It does happen about once every minute as well. Oh well -Original Message- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 2:27 PM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Is it a constant connection attempt? Have you tried tracerting to the address to see where it goes? It's basically an authentication failure for someone trying to POP their mail. Could be someone's PDA at home configured to tryconnecting to the server to download their mail. Otherwise, dunno. I would think you would see what account was failing its credentials. I've never seen that specific error on any of my servers. D -Original Message- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:13 AM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Yeah, that was the only article I found when searching. We have no clue who or where the IP is coming from. That's why I wondered if it could be a worm trying to do something or a hacker. I've never seen this before on my server and no one is having problems with email on my friend's server. Not that big of a deal since it doesn't seem to do anything other than fill up the log, but weird nonetheless. -Original Message- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:56 PM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Have you checked this article out? http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q220905 So you know where that IP is coming from? Remote user? There is nothing to fear but fear itself. -Franklin D. Roosevelt -Original Message- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 7:01 AM To: MS-Exchange Admin Issues Subject: event id 13004 A friend of mine has the following error on his Exchange 5.5 Server. Is this the work of one of the worms out there or a hacker or neither? Also, is there an easy way to block this IP on the Exchange Server? Event ID: 13004 Source: MSExchange POP3 Logon attempt from 65.104.120.212 has failed: AcceptSecurityContext() call failed with error Access denied. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
Re: event id 13004
Here's the info on the block of IPs this is in - in case it helps. Perhaps their IP admin can help track down the IP. -- Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6) 1400 Parkmoor Avenue San Jose, CA 95126-3429 US Netname: CONCENTRIC-BLK6 Netblock: 65.104.0.0 - 65.107.255.255 Maintainer: CRC Coordinator: DNS and IP ADMIN (DIA-ORG-ARIN) [EMAIL PROTECTED] (408) 817-2800 Fax- - - (408) 817-2630 Domain System inverse mapping provided by: NAMESERVER1.CONCENTRIC.NET 207.155.183.73 NAMESERVER2.CONCENTRIC.NET 207.155.184.72 NAMESERVER3.CONCENTRIC.NET 206.173.119.72 NAMESERVER.CONCENTRIC.NET 207.155.183.72 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 26-Sep-2001. Database last updated on 29-Nov-2001 19:56:47 EDT. Don Ely wrote: Have you checked this article out? http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q220905 So you know where that IP is coming from? Remote user? "There is nothing to fear but fear itself." -Franklin D. Roosevelt -Original Message- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 7:01 AM To: MS-Exchange Admin Issues Subject: event id 13004 A friend of mine has the following error on his Exchange 5.5 Server. Is this the work of one of the worms out there or a hacker or neither? Also, is there an easy way to block this IP on the Exchange Server? Event ID: 13004 Source: MSExchange POP3 Logon attempt from 65.104.120.212 has failed: AcceptSecurityContext() call failed with error Access denied. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm "WorldSecure Server safeway.com" made the following annotations on 11/30/01 12:42:12 -- Warning: All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ==
RE: event id 13004
Title: Message Was there ever a config to POP mail from an ISP or something to the Exchange server? -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:39 AMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 We tracerouted it to some place in Cali by Orange and Santa Ana. It just times out when it gets there. I had my friend log into his account with POP3 and use an incorrect password to see what that error looked like-and it of course gives his login name and says incorrect username or bad password. Because that was what I originally though it was too. It does happen about once every minute as well. Oh well... -Original Message-From: Don Ely [mailto:[EMAIL PROTECTED]]Sent: Friday, November 30, 2001 2:27 PMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Is it a constant connection attempt? Have you tried tracerting to the address to see where it goes? It's basically an authentication failure for someone trying to POP their mail. Could be someone's PDA at home configured to tryconnecting to the server to download their mail. Otherwise, dunno. I would think you would see what account was failing its credentials. I've never seen that specific error on any of my servers. D -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:13 AMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Yeah, that was the only article I found when searching. We have no clue who or where the IP is coming from. That's why I wondered if it could be a worm trying to do something or a hacker. I've never seen this before on my server and no one is having problems with email on my friend's server. Not that big of a deal since it doesn't seem to do anything other than fill up the log, but weird nonetheless. -Original Message-From: Don Ely [mailto:[EMAIL PROTECTED]]Sent: Friday, November 30, 2001 1:56 PMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Have you checked this article out? http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q220905 So you know where that IP is coming from? Remote user? "There is nothing to fear but fear itself." -Franklin D. Roosevelt -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 7:01 AMTo: MS-Exchange Admin IssuesSubject: event id 13004 A friend of mine has the following error on his Exchange 5.5 Server. Is this the work of one of the worms out there or a hacker or neither? Also, is there an easy way to block this IP on the Exchange Server? Event ID: 13004 Source: MSExchange POP3 Logon attempt from 65.104.120.212 has failed: AcceptSecurityContext() call failed with error Access denied. List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htmList Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: event id 13004
Title: Message Nope. -Original Message- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 2:37 PM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Was there ever a config to POP mail from an ISP or something to the Exchange server? -Original Message- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:39 AM To: MS-Exchange Admin Issues Subject: RE: event id 13004 We tracerouted it to some place in Cali by Orange and Santa Ana. It just times out when it gets there. I had my friend log into his account with POP3 and use an incorrect password to see what that error looked like-and it of course gives his login name and says incorrect username or bad password. Because that was what I originally though it was too. It does happen about once every minute as well. Oh well... -Original Message- From: Don Ely [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 2:27 PM To: MS-Exchange Admin Issues Subject: RE: event id 13004 Is it a constant connection attempt? Have you tried tracerting to the address to see where it goes? It's basically an authentication failure for someone trying to POP their mail. Could be someone's PDA at home configured to tryconnecting to the server to download their mail. Otherwise, dunno. I would think you would see what account was failing its credentials. I've never seen that specific error on any of my servers. D List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: event id 13004
Title: Message Hmmm... that's a wierd one my friend. But Mr. Andrews might have something for you if you really want to track it down. D "When all else fails, read the manual." -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:47 AMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Nope. -Original Message-From: Don Ely [mailto:[EMAIL PROTECTED]]Sent: Friday, November 30, 2001 2:37 PMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Was there ever a config to POP mail from an ISP or something to the Exchange server? -Original Message-From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 11:39 AMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 We tracerouted it to some place in Cali by Orange and Santa Ana. It just times out when it gets there. I had my friend log into his account with POP3 and use an incorrect password to see what that error looked like-and it of course gives his login name and says incorrect username or bad password. Because that was what I originally though it was too. It does happen about once every minute as well. Oh well... -Original Message-From: Don Ely [mailto:[EMAIL PROTECTED]]Sent: Friday, November 30, 2001 2:27 PMTo: MS-Exchange Admin IssuesSubject: RE: event id 13004 Is it a constant connection attempt? Have you tried tracerting to the address to see where it goes? It's basically an authentication failure for someone trying to POP their mail. Could be someone's PDA at home configured to tryconnecting to the server to download their mail. Otherwise, dunno. I would think you would see what account was failing its credentials. I've never seen that specific error on any of my servers. D List Charter and FAQ at:http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm