Re: Problems with Exchange 2000 as open relay

• Previous message: Ken Huddleston: "Re: Several Things about IE bugs"
• Maybe in reply to: rotaiv: "Problems with Exchange 2000 as open relay"
• Next in thread: Richard Buckingham: "Re: Problems with Exchange 2000 as open relay"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 16 Dec 2003 17:22:11 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I've tried to summarize the responses here so there is something in the archives about this.

The best response has to go to Stanley Lyzak. Jeff Denston made an interesting suggestion that Exchange Servers behind NAT devices might be seeing the connection as coming from the local subnet, thereby allowing relaying. That could be supported by Karin Abbink's remarks. Robert Turbyfill makes a rather obvious, but not oft mentioned observation that if you have a trojaned machine within your network it may be using your Exchange Server to relay spam.

Finally, Rotaiv's thank you is at the bottom.

Cheers,
Russ - NTBugtraq Editor

-----Original message-----
From: "Karin K. Abbink"
Date: Tue, 16 Dec 2003 20:49:43 +0100

I have been experiencing the same problems, although all settings are correct the mail server is still being abused. What seems to work is to deny everybody the rights to relay except from your domain, instead of your subnet.

-----Original message-----
From: Steve Halligan
Date: Tue, 16 Dec 2003 13:15:31 -0600

Do you have relaying turned on for authenticated users? We have seen several Exchange 2000 servers that were being used as spam relays by utilizing an easy-to-guess username/password combo (or, in one case, an enabled guest account). In fact, there is a Knowledgebase article about this:

(using the guest account) http://support.microsoft.com/?kbid=251149

and here is a good article about the user auth relay attacks:

http://www.vamsoft.com/orf/authattack.asp

-----Original message-----
From: "George, Anna"
Date: Tue, 16 Dec 2003 12:23:30 -0700

Try sending a test through the following site.
http://members.iinet.net.au/~remmie/relay/

-----Original message-----
From: "Stanley Lyzak"
Date: Tue, 16 Dec 2003 14:29:59 -0500

Well, I have seen this a LOT lately.

What's happening is that your Exchange server is setup to relay for authenticated requests (properties of your virtual SMTP server). Spammers are now finding less OPEN relays, and are basically 'brute forcing authenticated SMTP' through servers.

I have found some event log entries that are representative of this activity. Check for Event ID 529 (security event log), the computer will be your server's name, logon process is ADVAPI, it shows up as a failed login. Typically, you should see a lot of these occurring very quickly (brute force attack). It only needs Port 25 open to the internet (it's not an OWA problem). I have come across (on three occasions now), and automated script that tries to guess passwords through Authenticated SMTP. In about 5 minutes time, I saw about 12 accounts trying to login 23 times each (probably using the list of names as passwords). The accounts are: webmaster, admin, root, test, master, web, www, administrator, backup, server, data and abc. {damn script kiddie-spammers}.

You must disable Authenticated SMTP to stop this. This will, however, break anyone who is POP3 or IMAP accessing the server (and other legit authenticated relays). You could alternatively, validate good passwords and/or change all passwords. Also, as a note- Exchange has a bug that allows relaying through SMTP with the guest account (if enabled) even if the password provided is incorrect!!! Keep that default guest account turned off or be prepared to be a relay.

I hope this helps.

-----Original message-----
From: "Jeff Denston"
Date: Tue, 16 Dec 2003 13:41:04 -0600

Just a hunch but if the mail server is inside the firewall and the firewall is doing NAT and relaying is allowed for the local subnet then that means that all outside addresses can also relay because the mail looks like it is coming from the firewall's address - not the external address.

-----Original message-----
From: "Robert Turbyfill"
Date: Tue, 16 Dec 2003 13:19:21 -0800

If another workstation or server on your subnet is running SMTP services and allows relaying, it could be using your exchange server as a relay for outbound SMTP. Worst case, there's a trojan on a workstation on your subnet that is delivering non-domain mail via that Exchange relay. Restricting SMTP relay to your local subnet alone (if it's a public IP address range) is not sufficient if you want to avoid being blacklisted.

-----Original message-----
From: rotaiv
Date: Tue, 16 Dec 2003 14:54:15 -0500

Thank you to everyone that responded. The "authenticated user" option was enabled and has since been turned off. I have no way of knowing if this will fix the problem as port 25 to this server is now blocked at the gateway. Since it is no longer in our MX records (it used to be required) there is no need for access from the Internet. As I said before, we have not seen any issues since the block was put in place. Hopefully, the problem as been resolved. Now to work on those who blacklisted us...

rotaiv

-----
Most viruses these days use spoofed email addresses. As such, using an Anti-
Virus product which automatically notifies the perceived sender of a message
it believes is infected may well cause more harm than good. Someone who did
not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
-----

• Previous message: Ken Huddleston: "Re: Several Things about IE bugs"
• Maybe in reply to: rotaiv: "Problems with Exchange 2000 as open relay"
• Next in thread: Richard Buckingham: "Re: Problems with Exchange 2000 as open relay"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]