Hi Matthew, As this issue is related to Exchange Server, for quick and accurate response to the question, I suggest you also ask in Exchange Server forum. The support professional there are more familiar with it and can help you in a more efficient way. Exchange Server forum: http://social.technet.microsoft.com/Forums/en/category/exchangeserver/ Regards, Bruce

You need a IDS/IPS system to secure your exchange.

Hi everyone, and thanks for any response in advance! We are getting one of these failed logon attempts every 15 seconds on the server: We are running Windows Server 2008, and Exchange 2007. The usernames vary, "candy, admin, administrator, alex, scanner, etc...." it goes on and on It says the source is not one from the network (no IP and port info), but what appears to be a local process edgetransport.exe Not even sure if it's a legit process, as I have failed to find any info on it. It is in the exchange folder. Please see the error info below: ------------------------------------------------------------------------------------------------------------ An account failed to log on. Subject: Security ID: NETWORK SERVICE Account Name: <<our server name>>$ Account Domain: <<Our Local Domain Name>> Logon ID: 0x3e4 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: power Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x2358 Caller Process Name: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe Network Information: Workstation Name: <<Our server name>> Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 ------------------------------------------------------------------------------------------------------------------------------------------------------

Right, there are other ones like "Iloveyou" and "123456" etc... Windows Server is patched to SP2, and the Exchange 2007 version is 08.02.0176.002 if that helps. Honestly this company recently hired me, and I have never worked with Exchange before. What does the Edge Transport server do exactly? And yes, it is running from that folder.

Every 15 seconds, all day, every day for the past three days. I can't seem to pinpoint where the traffic is coming from. All it says in the event is a local process. I know we use OWA so perhaps they are trying to login to our mail server? If so, what type of traffic should I be looking for. Thanks guys for your help and advice!

And thank you so much for posting.

Any ideas? Anyone? Am I on the right forum? I am somewhat afraid this is a ticking time-bomb.

Am I right in concluding that those user names do not belong to any of your users? What is the service pack on your Windows server and for Exchange? And most importantly, are you running an Edge Transport server? Otherwise, edgetransport.exe can be found on both Edge and Hub Transport servers. It is located in the C:\Program Files\Microsoft\Exchange Server\bin folder. I'm not sure why it is causing these errors for you though. Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

How many events you are tracking a day and is it at a specific time? Try running packet capture to get more information of the originating Ip address. It looks like a script kiddie trying to run a dictionary attack may be with conjunction with a brute force, if you have IPSec policy enabled you can block incoming traffic whose network packet headers are modified which in your case may be the issue. Mostly these kind of attack are not successful (if you have not left any security setting to default) it can only cause panic for some time.

Hi Matthew, As this issue is related to Exchange Server, for quick and accurate response to the question, I suggest you also ask in Exchange Server forum. The support professional there are more familiar with it and can help you in a more efficient way. Exchange Server forum: http://social.technet.microsoft.com/Forums/en/category/exchangeserver/ Regards, Bruce