Windows Server - Who's guessing passwords? - source of invalid logins to inetinfo, SBS2003

Hello,
I am desperately trying to identify from where someone tries to login to our
sbs2003 server.
I am getting several hundreds of event id 529 entries in security log,
spanning 30-40 minute interval, all share this info:
Username: (here someone guesses random names)
Login type: 3
Logon Process: Advapi
Workstation name: <my_server_name>
Username: <my_server_name$>
Source network address: <empty> It'd be nice if it was not
PID: <inetinfo_pid_always>

I thought since it always is about inetinfo, these invalid logons would be
listed in IIS log files, but they are not.
By the way, the first in a chain of these logon attempts also generates
eventid 1706 from MSExchangeTransport in application log.

I have read somewhere about debugging exchange for the purpose of identifying
failed logons but i do not want to do that, i'd like to see a log in any
format that would be containing source address or machine name

Please help me identify source of these attacks.
--
Regards
Krzysztof Barski

I have not seen these for a while, but I think it turned out to be attempts
to authenticate with the SMTP server. You can enable SMTP logging and you
may find further details there. I eventually decided there was not any point
to trying. The attack source rarely stays constant for long. In my case, I
had a flurry of such attacks for a week or two at a time, and then they
stopped. Occasionally they occur again, but never for long.

Thanks for the answer, Paul
I will be logging some more smtp stuff, then. I need to see it logged at
least once just to be sure that it really is thru smtp not an in-house job
by some unexpectedly "skillful" employee.

Get 'EventSentry Light' (free edition) and install it. We are using it and
it is great.