Mail server security (Was: Re: [fw-wiz] [OT] tcpdump parsing)
From: Damian Gerow (damian_at_sentex.net)
Date: 10/09/03
- Previous message: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
- In reply to: Austin, Greg: "RE: [fw-wiz] [OT] tcpdump parsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 8 Oct 2003 18:21:12 -0400
Thus spake Austin, Greg (gaustin@RKON.com) [08/10/03 18:11]:
> What sort of mail system is it? Does the system in question support
> relaying for authenticated hosts? If so I've seen a recent spate of
> people who aren't configured to relay being used as relays when
> configured this way.
I've seen all *sorts* of different ways to relay spam (I'm an admin at a
small ISP). One of them is abusing the AUTH LOGIN bug, then there's open
proxies and relays, trojans, etc.
What's got me stumped is that they have *no* open ports, other than the
default Windows port (again, three port scans confirmed this). Which is why
I moved to the network dump.
This is /not/ a mail system in question, it's a home users connection.
> I've seen this a half dozen times in the last few months, and in every
> case I've found successful bogus authlogins from hosts in China and
> other odd places in my sniffer traces. Usually the local admin account
> on the box had a brilliant password like "administrator" or <blank>.
> Incidentally, these were all Exchange boxes patched up to the latest.
> Can't blame MS for the poor password choices though. Anyway, in case
I've found this as well in a number of locations. It's a right PITA, trying
to find an open relay where one doesn't exist (technically). I've chastised
a couple of remote sites for poor password choices.
This makes me wonder if the SMTP AUTH holy grail that's being toted in
inet-access and NANOG is more trouble than it will be worth. I'm all for
authenticated SMTP, but until the security industry can find a way for end
users to have a simple, secure way of authenticating themselves, I just
don't think it's going to cut it.
It's one thing for a hax0r to break in to an end users account and start
faking newsgroup/Yahoo! Groups posts as the user. It's another entirely
when someone brute forces your user base (and in 10k users, they're *bound*
to find a couple of easy-to-guess passwords) and starts relaying spam
through you like there's no tomorrow.
And this is no home connection, either. If they SLIP/SSH into a Unix prompt
at another ISP, they could have 50+Mbps at their hands for relaying spam.
That's a *heck* of a lot of e-mail.
Yes, yes, I know. Secure password policy. A debate I don't want to enter
right now.
> this applied to your situation I thought I'd chip in with this bit. If
> it doesn't apply, ignore me (a good choice in most cases anyway).
Ditto.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
- In reply to: Austin, Greg: "RE: [fw-wiz] [OT] tcpdump parsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
