Re: MS Exchange Relay Authentication

From: Bocko, Andy (Andy.Bocko_at_ADAM-US.COM)
Date: 10/03/03

  • Next message: Russ: "Alert: Microsoft Security Bulletin - MS03-040" 
    Date:         Thu, 2 Oct 2003 16:38:11 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I've seen this on a few servers in various environments. In every case
    the account that was cracked was the box's local administrator and:

    1. The account was still named Administrator
    2. The password was not complex
    3. Administrator lockout was not enabled
    4. The Administrator account is enabled (of course)
    5. Basic authentication is enabled on the SMTP server

    I used Netmon to capture traffic coming to a honeypot Ex2000 box on my
    DMZ and I got tons of initiated SMTP sessions that attempt to
    authenticate with .\Administrator followed by a random plain text
    password. I have set simple passwords to test the attack and usually by
    morning the next day I have queued up thousands of messages for
    delivery. It's a little interesting that most of the attacks originate
    from the same South Korea based ISP. Maybe that's just me.

    On our production boxes we have implemented the following:

    1. Administrator account is renamed and disabled.
    2. We use a program to create a random complex password for the
    administrator account.
    3. Group Policy enables several account policies including Administrator
    account lockout on all servers. (this may seem excessive since we
    disable the account)
    4. We create a second SMTP VS on the externally accessible servers that
    only accepts anonymous connections on port 25 for inbound mail. The
    existing 'default' VS is used for outbound mail and is re-assigned to an
    IP address that isn't available to the Internet.

    I hope that helps.

    Andy Bocko
    Chief Technology Officer
    Allianz Dresdner Asset Management
    U.S. Corporate Services
    (949) 219-2222
    Fax (949) 640-5113

    -----Original Message-----
    From: Hovermale, Jake [mailto:hovermalej@BEINETWORKS.COM]
    Sent: Thursday, September 25, 2003 2:59 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: MS Exchange Relay Authentication

    We've seen quite a few Exchange Servers recently being used as relays.
    Relay restrictions are set to "allow all computers which successfully
    authenticate to relay, regardless of the list above." We've removed this
    option and added the appropriate servers to the granted computers list
    and the problem goes away. Some remote users may need to reset their
    email settings to use the local ISP's smtp server but that's how it
    should be anyway.

    We've seen tens of thousands of messages on average piled up in the
    queues. Exchange 2000 handles it much better than 5.5. 5.5 seems to
    crash the server more often than not. 2000 handles it but your Internet
    browsing may not work too well. We've done some searching and have found
    a few others with similar problems.

    It seems that account passwords are being cracked. At that point the
    spammer can successfully authenticate and voila, free relay server.
    Removing the 'authenticate-relay-option' solves the relay problem but
    not the fact that the passwords are so easily cracked. We've been
    enabling the maximum setting on the MSExchangeTransport SMTP Protocol to
    look for eventlog errors to track down the compromised accounts. We've
    also suggested resetting all account passwords with stronger settings,
    removing all unnecessary accounts, and patching the systems. All this is
    the usual stuff but we've seen this on systems with all but the most up
    to date patch set so we're not at all sure where vulnerability is or how
    the passwords are being cracked.

    Anyone have any insight?

    Thank you,

    Jake 

    ----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now,
for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
-----
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;
http://www.ntbugtraq.com/archives
-----
  • Next message: Russ: "Alert: Microsoft Security Bulletin - MS03-040"

    Relevant Pages

    • Re: Access and roles in DCOM technology
      ... account should definitely not be. ... The 4 servers interact via DCOM technology. ... If this user is local administrator on 4 servers everything works ... > user so the DCOM technology will work between the servers? ...
      (microsoft.public.security)
    • Re: Outlook express
      ... I recently purchased a Dell and still want to use Outlook ... no matter what computer you use to access your account. ... still go through all of your accounts with passwords and change them. ... Email goes to your ISP's servers, ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: nessus scan
      ... Null sessions do NOT allow unauthenticated access to data on ... > when XP Pro users try to change their domain passwords at logon. ... > downlevel clients to access those servers. ... > auditing for account logons events and account management on domain ...
      (microsoft.public.win2000.security)
    • Re: Administrator(s)
      ... Strong passwords are long, contain digits, special c ... locate any account that he has and disable it. ... child has knowledge of. ... > I have been the "administrator" since I installed XP ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Administrator Account Locking Out
      ... the Administrator account, or possibly our RADIUS server might be using it ... 2003 Servers and Windows 2000 servers. ... I have looked in both the event logs, turned on netlogon logging, etc. ...
      (microsoft.public.windows.server.active_directory)