Some time this morning I began getting a TON of security and logon events on our Exchange server. (Server 2003 SP1 with Exchange 2003). The events are as follows: In the System event log every second I get an Event 100 warning "The server was unable to logon the Windows NT account 'name'..." For the last 10 hours these have been generated with the name changing every so often from dave, to martin, to john, to karl, etc. At the same time I am getting tons of Failure Audits in the Security event log. I get events 529 and 680. The 529 states it was an unknown user name or password trying to access this Exchange server through IIS. The 680 errors give a similar error with the source being Microsoft_Authentication_Package. I have checked eventid.net and the one solution I have tried is that I verified in our IIS metabase that NtAuthenticationProviders was set to Negotiate/NTML. These errors were not there yesterday but are chronic now. We have no user id's in Active Directory that match the ones that are attempting to log in. Is this indicative of an external brute force attack on our system? If so how can I go about finding out where its coming from and how to stop it? If its not an external attack I am at a loss of where to go next to try and resolve this issue. Thanks in advance.

At the very least I would verify AV definitions on all outlook clients and servers and run a scan. could be a mass mailer but, sounds like may be a brute force attack. have you ran a netstat from Exchange yet?

Its a brute force attack. Installed Ethereal and discovered it was coming from China. We're squashing it now. Thanks.