RE: Exchange SMTP Hole?
From: Sean Warnock (swarnock_at_warnocksolutions.com)
Date: 11/11/03
- Previous message: Tom Burns: "RE: Exchange SMTP Hole?"
- Maybe in reply to: Tom Burns: "Exchange SMTP Hole?"
- Next in thread: Ted Quade: "Re: Exchange SMTP Hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Nov 2003 08:05:33 -0800 To: "Tom Burns" <tburns@torcausa.com>, <focus-ms@securityfocus.com>
The other possibility is that you allow authenticated users to send
mail. I generally disable the feature marked "Allow all computers which
successfully authenticate to relay, regardless of the list above". With
this setting any weak user account and password choices will allow
someone to relay through you. I have also found that incorrect
passwords on the SMTP service do not generate event log messages. You
can look through the SMTP service logs for the commands issued to see if
someone was doing a password attack but I do not know how long you have
kept your SMTP logs.
Sean
-----Original Message-----
From: Tom Burns [mailto:tburns@torcausa.com]
Sent: Tuesday, November 11, 2003 6:00 AM
To: focus-ms@securityfocus.com
Subject: Exchange SMTP Hole?
Good morning all,
I have an exchange server that's been running for quite some time (over
a year) and had it locked down to prevent relay (spam). It is patched
all the way up to 3a.
I checked my queues yesterday and got slammed by spam relaying.
Is there a security hole that MS does not know about yet in SMTP?????
The only way I resolved this was to block connection from 219.x.x.x,
218.x.x.x, 211.x.x.x, etc.
This server has been testing aginst ORDB.ORG and shown to NOT be an open
relay.
If anyone has any suggestions, please let me know.
Thomas A. Burns
System Administrator
Torca Products Inc.
Auburn Hills, MI 48326
248-373-8300 x186
------------------------------------------------------------------------
--- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: Tom Burns: "RE: Exchange SMTP Hole?"
- Maybe in reply to: Tom Burns: "Exchange SMTP Hole?"
- Next in thread: Ted Quade: "Re: Exchange SMTP Hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
