RE: Exchange SMTP Hole?
MTeixeira_at_njtransit.com
Date: 11/12/03
- Previous message: Thor: "Re: AD structure for a school environment"
- Maybe in reply to: Tom Burns: "Exchange SMTP Hole?"
- Next in thread: Tenorio, Leandro: "RE: Exchange SMTP Hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Nov 2003 16:06:52 -0500 To: <marcin@hhc.pl>, <tburns@torcausa.com>, <focus-ms@securityfocus.com>
Rather than having an Exchange Server directly accessible from the
outside, it's a good idea to have a gateway (ironically set up to relay
:) ) in between. Allowing only outgoing mail from your exchange
servers.
MIGUEL A. TEIXEIRA
NJ Transit\\\ Corporation Information Services
One Penn Plaza East, Newark, NJ 07105-2246
v: 973.491.8153 f: 973.491.7511
mteixeira@njtransit.com
www.njtransit.com
-----Original Message-----
From: Marcin Firlag [mailto:marcin@hhc.pl]
Sent: Wednesday, November 12, 2003 3:51 AM
To: 'Tom Burns'; focus-ms@securityfocus.com
Subject: RE: Exchange SMTP Hole?
Hi!
I had same problem 1 month ago but I couldn't find any information about
spam relaying. A lot of spammers are looking for SMTP servers
(exchange) and they are using SMTP service to mount brute-force
password-guessing attacks against well-known accounts on those
servers. That's right: Instead of attacking the increasingly
well-defended Windows remote procedure call (RPC) services that most
organizations use for logon authentication, this attack sends a
barrage of SMTP AUTH LOGON commands until one succeeds.
"But wait a minute," you say. "Exchange Server 2003 and Exchange 2000
Server have relaying turned off by default!" Yes, they do--for
unauthenticated users. But if a spammer manages to snag an
authenticated user's credentials, the spammer can authenticate to your
server and use it to blast out millions of spam messages. (thanks for
Joe and Andy Webb)
What can you do? I managed my SMTP Virtual Server. Properties - Access -
Relay restrictions - and I grant permission to IP's from my LAN
(192.168.0.0 255.255.0.0) You wrote that you block the connection from
different hosts. I'm sure that will be easier to permit addresses from
your private network
You have to change passwords for administrator and force users to change
passwords. I suggest ypu also to change passwords policy.
I hope it will help you for a moment...
best regards
-----------------------------------------------------------------
| marcin firlag; nework admin; | || || |
| gg: 371438; lru: 199158; | || || |
| cell: +48692479758 | |||| |||| |
| www.hhc.pl; www.tribaseline.com | ..:||||||:..:||||||:.. |
| Microsoft - because god hates us | |
-----------------------------------------------------------------
-----Original Message-----
From: Tom Burns [mailto:tburns@torcausa.com]
Sent: Tuesday, November 11, 2003 3:00 PM
To: focus-ms@securityfocus.com
Subject: Exchange SMTP Hole?
Good morning all,
I have an exchange server that's been running for quite some time (over
a year) and had it locked down to prevent relay (spam). It is patched
all the way up to 3a.
I checked my queues yesterday and got slammed by spam relaying.
Is there a security hole that MS does not know about yet in SMTP?????
The only way I resolved this was to block connection from 219.x.x.x,
218.x.x.x, 211.x.x.x, etc.
This server has been testing aginst ORDB.ORG and shown to NOT be an open
relay.
If anyone has any suggestions, please let me know.
Thomas A. Burns
System Administrator
Torca Products Inc.
Auburn Hills, MI 48326
248-373-8300 x186
------------------------------------------------------------------------
--- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: Thor: "Re: AD structure for a school environment"
- Maybe in reply to: Tom Burns: "Exchange SMTP Hole?"
- Next in thread: Tenorio, Leandro: "RE: Exchange SMTP Hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
