Logon Failure from 127.0.0.1 via MSExchangeFrontEndTransport.exe

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3152182%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3ELogon%20Failure%20from%20127.0.0.1%20via%20MSExchangeFrontEndTransport.exe%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3152182%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EI%20am%20getting%20a%20lot%20(thousands%20per%20day)%20of%20logon%20failures%20due%20to%20unknown%20username%20or%20bad%20password%20on%20my%20Exchange%20Server.%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EThe%20failures%20in%20question%20will%20be%20due%20to%20invalid%20account%20names%20as%20the%20accounts%20reporting%20the%20failures%20do%20not%20exist%20on%20my%20network%20(though%20they%20may%20have%20at%20some%20point%20in%20the%20past).%26nbsp%3B%20The%20caller%20process%20is%20SExchangeFrontEndTransport%20and%20the%20source%20IP%20Address%20is%20127.0.0.1.%26nbsp%3B%26nbsp%3BI%20had%20previously%20written%20this%20off%20as%20someone%20trying%20to%20hack%20into%20a%20previously%20valid%20mailbox%2C%20or%20an%20ex%20employee%20who%20still%20has%20a%20device%20attempting%20to%20retrieve%20e-mail.%26nbsp%3B%20However%2C%20I%20decided%20to%20dig%20into%20this%20a%20little%20more%20and%20found%20that%20the%20source%20IP%20address%20is%20127.0.0.1%20and%20now%20I%20am%20concerned.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EMy%20Environment%20is%20a%20single%20Exchange%20Server%20running%20in%20Hybrid%20mode.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EThe%20Exchange%20Server%20has%20been%20rebuilt%20from%20scratch%20and%20this%20was%20occurring%20before%20and%20after%20the%20server%20was%20rebuilt.%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EAny%20ideas%20what%20may%20be%20causing%20this%20or%20how%20I%20can%20track%20it%20down%3F%26nbsp%3B%20Is%20it%20likely%20that%20there%20is%20something%20stuck%20in%20my%20AD%20environment%20that%20will%20need%20to%20be%20cleaned%20up%20through%20ADSI%20edit%3F%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3152182%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3E2016%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EAdmin%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EExchange%20Server%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EHybrid%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
Contributor

I am getting a lot (thousands per day) of logon failures due to unknown username or bad password on my Exchange Server. 

 

The failures in question will be due to invalid account names as the accounts reporting the failures do not exist on my network (though they may have at some point in the past).  The caller process is SExchangeFrontEndTransport and the source IP Address is 127.0.0.1.  I had previously written this off as someone trying to hack into a previously valid mailbox, or an ex employee who still has a device attempting to retrieve e-mail.  However, I decided to dig into this a little more and found that the source IP address is 127.0.0.1 and now I am concerned.

 

My Environment is a single Exchange Server running in Hybrid mode.

 

The Exchange Server has been rebuilt from scratch and this was occurring before and after the server was rebuilt. 

 

Any ideas what may be causing this or how I can track it down?  Is it likely that there is something stuck in my AD environment that will need to be cleaned up through ADSI edit?

0 Replies