RE: MS Exchange Server 5.5/ NT User Name Harvesting ?
From: Kit (kit@smallfoxx.com)Date: 06/07/02
- Previous message: miloskv1@netscape.net: "Help me and my ISA server"
- In reply to: Edward Cheong: "Re: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Next in thread: H C: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Next in thread: Seth Mitchell: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Reply: H C: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kit" <kit@smallfoxx.com> To: "Edward Cheong" <ed.cheong@oahucomputers.com>, <focus-ms@securityfocus.com> Date: Fri, 7 Jun 2002 16:12:56 -0500
For the user enumeration, they could be using NetBIOS or SMB to determine
who is actively logged into the machines if those ports are not being
blocked. The first thing to do on this is to make sure you block all
transmissions to and from TCP&UDP 135, UDP 137, UDP 138, TCP 139, and
TCP&UDP 445 at the firewall unless you know you absolutely need them (only
would be used if you were doing LanMan or NTLM authentication across the
Internet). Also, they could be using LDAP, so disable TCP&UDP 389 at the
firewall as well unless you have someone doing queries against your
directory on purpose.
As for finding out who is sending the e-mails, a lot of bounced messages
will include the original message as an attachment. In this case, look at
the header information of the message to find out where its being sent from.
Someone may be attempting to use your system as a relay. However, there are
some viruses out now which will spoof source addresses and it could simply
be that someone your user knows is infected and sending out these falsified
e-mails and your user is getting the bounces. If you're worried about
someone spamming via your SMTP server, there are some MS Knowledge Base
articles about how to secure your system from relaying; take a look there.
-K
-----Original Message-----
From: Edward Cheong [mailto:ed.cheong@oahucomputers.com]
Sent: Friday, June 07, 2002 3:04 PM
To: focus-ms@securityfocus.com
Subject: Re: MS Exchange Server 5.5/ NT User Name Harvesting ?
In-Reply-To: <20020607163318.12672.qmail@mail.securityfocus.com>
Hi,
I am experiencing the same problem. How did you determine that the
attackers are trying to use your exchange server as a spam relay? What
signs do you look for (our user has received auto-response replies from a
person she has never sent mail to, but apparently received a spam message
from our user). Could spam be relayed from our mail server using a
particular user as the sender? What other ways are there to find out
information about the users (other than with the Watchguard firewall)?
Thank you very much
>
>Hello,
>
>I work for a small company with about 100 computers on our network. Our
>lone server is running on NT with all the latest hotfixes, service packs,
>etc. Our mail server is MS Exchange 5.5, also with all the latest
>hotfixes and service packs installed. Due to budgetary constraints
>upgrading to newer software is not an option here.
>
>The problem we're having is that everytime one of our employees keeps
>his/her computer logged on overnight, crackers are able to harvest the
>username and they then proceed to run cracking attempts on it all night.
>
>From the security logs it looks like they are trying to use our mail
>server as a spam relay. The only thing thats really stopping them is we
>have all user accounts locked out from 5pm-7am. But we really don't know
>whats going on during business hours.
>
>We have a Watchguard firewall up and running and its provided us with
alot
>of information, including the cracker's IP addresses, but we would really
>like to know how to stop them from harvesting our Usernames.
>
>The usernames are not guessable, the only common thread that all the
>usernames the crackers have harvested have is the fact that the Employee
>left his/her computer on all night and logged into the network.
>
>Any suggestions would be most appreciated.
>
>Thanks
>
- Previous message: miloskv1@netscape.net: "Help me and my ISA server"
- In reply to: Edward Cheong: "Re: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Next in thread: H C: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Next in thread: Seth Mitchell: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Reply: H C: "RE: MS Exchange Server 5.5/ NT User Name Harvesting ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
