We had a customer that was seeing logon failures on their domain controller (Event ID 680) generated from their Exchange server. The usernames requested were completely outlandish, and were determined to be simply coming from a dictionary attack. The only service the bank had exposed was its SMTP service (Exchange server exposed directly to Internet via SMTP PAT). We did some research and found that the failures were related to the SMTP "Auth Login" command. The SMTP service was configured to allow Basic and Integrated authentication. It appears that someone was using some type of dictionary attack from the Internet to try to guess valid user accounts and passwords via the SMTP service. We disabled authentication support for the SMTP service so “Auth Login” is not available. [more]
