MS Exchange Relay Authentication

From: Hovermale, Jake (hovermalej_at_BEINETWORKS.COM)
Date: 09/25/03

  • Next message: Brett Moore: "Shattering SEH III"
    Date:         Thu, 25 Sep 2003 17:58:49 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    We've seen quite a few Exchange Servers recently being used as relays.
    Relay restrictions are set to "allow all computers which successfully
    authenticate to relay, regardless of the list above." We've removed this
    option and added the appropriate servers to the granted computers list
    and the problem goes away. Some remote users may need to reset their
    email settings to use the local ISP's smtp server but that's how it
    should be anyway.

    We've seen tens of thousands of messages on average piled up in the
    queues. Exchange 2000 handles it much better than 5.5. 5.5 seems to
    crash the server more often than not. 2000 handles it but your Internet
    browsing may not work too well. We've done some searching and have found
    a few others with similar problems.

    It seems that account passwords are being cracked. At that point the
    spammer can successfully authenticate and voila, free relay server.
    Removing the 'authenticate-relay-option' solves the relay problem but
    not the fact that the passwords are so easily cracked. We've been
    enabling the maximum setting on the MSExchangeTransport SMTP Protocol to
    look for eventlog errors to track down the compromised accounts. We've
    also suggested resetting all account passwords with stronger settings,
    removing all unnecessary accounts, and patching the systems. All this is
    the usual stuff but we've seen this on systems with all but the most up
    to date patch set so we're not at all sure where vulnerability is or how
    the passwords are being cracked.

    Anyone have any insight?

    Thank you,

    Jake

    ----
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    ----
    

  • Next message: Brett Moore: "Shattering SEH III"

    Relevant Pages

    • Re: Relay Blues, #5.7.1 smtp;550 5.7.1 Unable to relay, But I need to
      ... > from your SBS2 server. ... > Based on my research you should set up the SBS 2 server to relay the email ... > that do not authenticate to be able to send mail. ... regardless of the list above is selected. ...
      (microsoft.public.windows.server.sbs)
    • Re: Is my server hijacked or is it spammed
      ... Only authenticated hosts can relay through our server, ... would seem the spammer actually managed to authenticate. ...
      (microsoft.public.exchange.admin)
    • Re: open relay
      ... for any connections accept authenticated ... Right click Default SMTP Virtual Server then Click Properties. ... Click the Access tab Click the relay button, ... Also ensure that "Allow all computers which successfully authenticate to ...
      (microsoft.public.exchange.admin)
    • Re: Massive queues
      ... could just as easily use the verified account. ... Exchange server, at the firewall usually takes care of any spamming ... in" and use your machine as a relay server. ... Allow all computers which successfully authenticate to relay, ...
      (microsoft.public.exchange.admin)
    • Re: Relay Question
      ... An open relay ... is an SMTP e-mail server that allows third-party relay of e-mail messages. ... Exchange 2003 is by default configured to prevent open relay. ... Microsoft does not control these sites ...
      (microsoft.public.windows.server.sbs)