RE: MS Exchange Server 5.5/ NT User Name Harvesting ?

From: Seth Mitchell (Smitchell@meagher.com)
Date: 06/07/02 

From: Seth Mitchell <Smitchell@meagher.com>
To: focus-ms@securityfocus.com
Date: Fri, 7 Jun 2002 16:03:46 -0500

Edward,

The behavior you described, where the user received an auto-reply from
someone she never sent mail to, is more likely a result of a third party's
computer being infected with the Klez virus, than it is spam relaying. Klez
is known to falsify sender information. Sender information is totally
arbitrary - it has little to do with the actual source of the message.

See...
http://www.sophos.com/virusinfo/articles/klezh2.html

So, your user's name is in some infected computer address book, it gets used
as the FROM, and your user gets the auto-reply. Annoying to no end... And
forget trying to explain these abstract concepts to the users. Ugh!

IMHO, anyone running an Exchange server should configure SMTP as noted under
the 'A Better Option' section of this document:
http://info.connect.com.au/docs/exchange/relay.html

That will prevent your server from being used to send mail to anywhere but
your domain.

To the user with the WatchGuard firewall:

If we're talking about a WG model 700 or better, consider using the
SMTP-Proxy service. You can set it to stop relaying by setting the
Allowed-to: on the incoming properties to *yourcommercialdomain.com

Next, how on [insert your choice of omnipotent being]'s green earth are they
getting at your accounts (i.e., what kind of allowed traffic are you
seeing)? Are you allowing SMB through to any internal hosts? If so, I'd
recommend stopping that immediately. You may as well not run a firewall, if
you're going to allow MS traffic through.

-Seth Mitchell

smitchell@meagher.com

-----Original Message-----
From: Edward Cheong [mailto:ed.cheong@oahucomputers.com]
Sent: Friday, June 07, 2002 3:04 PM
To: focus-ms@securityfocus.com
Subject: Re: MS Exchange Server 5.5/ NT User Name Harvesting ?

In-Reply-To: <20020607163318.12672.qmail@mail.securityfocus.com>

Hi,

I am experiencing the same problem. How did you determine that the
attackers are trying to use your exchange server as a spam relay? What
signs do you look for (our user has received auto-response replies from a
person she has never sent mail to, but apparently received a spam message
from our user). Could spam be relayed from our mail server using a
particular user as the sender? What other ways are there to find out
information about the users (other than with the Watchguard firewall)?

Thank you very much

>
>Hello,
>
>I work for a small company with about 100 computers on our network. Our
>lone server is running on NT with all the latest hotfixes, service packs,
>etc. Our mail server is MS Exchange 5.5, also with all the latest
>hotfixes and service packs installed. Due to budgetary constraints
>upgrading to newer software is not an option here.
>
>The problem we're having is that everytime one of our employees keeps
>his/her computer logged on overnight, crackers are able to harvest the
>username and they then proceed to run cracking attempts on it all night.
>
>From the security logs it looks like they are trying to use our mail
>server as a spam relay. The only thing thats really stopping them is we
>have all user accounts locked out from 5pm-7am. But we really don't know
>whats going on during business hours.
>
>We have a Watchguard firewall up and running and its provided us with
alot
>of information, including the cracker's IP addresses, but we would really
>like to know how to stop them from harvesting our Usernames.
>
>The usernames are not guessable, the only common thread that all the
>usernames the crackers have harvested have is the fact that the Employee
>left his/her computer on all night and logged into the network.
>
>Any suggestions would be most appreciated.
>
>Thanks
>

Relevant Pages

  • Re: How to do rDNS. WAS: RE: educating rDNS violators
    ... It's done in the DNS server. ... As a spam prevention measure, a lot of end-user Internet providers are ... Using your own mail server as a slave to the ISP's mail server will add ...
    (Security-Basics)
  • RE: OMA and Outgoing Spam
    ... Someone hacked a user account and use it to spam emails; ... Your Exchange server is open relaying emails;(You have checked it ... Your server is under RNDR Attack. ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • RE: OMA and Outgoing Spam
    ... Someone hacked a user account and use it to spam emails; ... Your Exchange server is open relaying emails;(You have checked it ... Your server is under RNDR Attack. ... When you enable recipient filtering on the SMTP virtual server, ...
    (microsoft.public.windows.server.sbs)
  • Re: Anyone succesfully stopped Reverse NDR Attacks in exchange 2000?
    ... to their filtering servers and the Spam stops filling your Exchange Queues ... and destined to an non existing address on your server. ... connecting addresses as there are spam sent. ...
    (microsoft.public.exchange2000.admin)
  • Re: educating rDNS violators
    ... Our previous mail server setup included refusing all messages coming from ... Another way to catch a fair amount of spam is to require that the "From:" ... MX records to the filter then the filter would forward mail to our SMTP ...
    (Security-Basics)