This is a multi-part message in MIME format.
------=_NextPart_000_00A3_01C452D2.3DC42110
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
One of my clients has recently been having thousands of event 7002 in =
the applications event log. =20
The text of the event is:
"This is an SMTP protocol warning log for virtual server ID 1, =
connection #13. The remote host "123.123.123.123", responded to the SMTP =
command "rcpt" with "450 xyz@xyzdomain.com: Recipient address rejected: =
Domain not found ". The full command sent was "RCPT =
TO:xyzi@xyzdomain.com ". This may cause the connection to fail. "
These events are repeated hundreds of times - usually with the same =
recipient, but occasionally with others.
On the outgoing email section of the SBS Server Usage Report, one user =
is shown as having a massive amount of outgoing emails. We changed =
passwords on the account, and followed KB 324958's recommendation to =
turn on logging, but can't see any of the Event Id 1708 which would =
indicate that the user's passwords were hacked.
I believe that these 7002 events started after installing the SBS POP3 =
update KB835734. Is it just a sign that the update is doing its job? =
Or some other form of relaying? I can't find anything relevant in =
eventid.net or the ms KB.
Thanks in advance.
------=_NextPart_000_00A3_01C452D2.3DC42110
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV>
<P><FONT face=3DArial size=3D2>One of my clients has recently been =
having thousands=20
of event 7002 in the applications event log. =
</FONT></P>
<P><FONT face=3DArial size=3D2>The text of the event is:</FONT></P>
<P><FONT face=3DArial size=3D2>"This is an SMTP protocol warning log for =
virtual=20
server ID 1, connection #13. The remote host "123.123.123.123", =
responded to the=20
SMTP command "rcpt" with "450 <A=20
href=3D"mailto:xyz@xyzdomain.com">xyz@xyzdomain.com</A>: Recipient =
address=20
rejected: Domain not found ". The full command sent was "RCPT TO:<A=20
href=3D"mailto:xyzi@xyzdomain.">xyzi@xyzdomain.</A>com ". This may cause =
the=20
connection to fail. "</FONT></P>
<P><FONT face=3DArial size=3D2>These events are repeated hundreds of =
times - usually=20
with the same recipient, but occasionally with others.</FONT></P>
<P><FONT face=3DArial size=3D2>On the outgoing email section of the SBS =
Server Usage=20
Report, one user is shown as having a massive amount of outgoing =
emails. =20
We changed passwords on the account, and followed KB 324958's =
recommendation to=20
turn on logging, but can't see any of the Event Id 1708 which would =
indicate=20
that the user's passwords were hacked.</FONT></P><FONT face=3DArial =
size=3D2>
<P><FONT face=3DArial size=3D2>I believe that these 7002 events started =
after=20
installing the SBS POP3 update KB835734. Is it just a sign that =
the update=20
is doing its job? Or some other form of relaying? I can't =
find=20
anything relevant in eventid.net or the ms KB.</FONT></P></FONT>
<P><FONT face=3DArial size=3D2>Thanks in advance.</FONT></P>
<P><FONT face=3DArial size=3D2></FONT> </P>
<P><FONT face=3DArial size=3D2></FONT> </P>
<P><FONT face=3DArial size=3D2></FONT> </P></DIV></BODY></HTML>
------=_NextPart_000_00A3_01C452D2.3DC42110--