Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Exchange Server Flaw - Spammers' Delight

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Exchange Server Flaw - Spammers' Delight

    I have tried this and can confirm that it is a problem.

    Yet again, MS, touting security is job one, has proven that they are all about lip service and not much else.

    From http://news.com.com/2100-7355-5107904.html?tag=nefd_hed

    Mail server flaw opens Exchange to spam
    Last modified: November 14, 2003, 3:47 PM PST
    By Robert Lemos
    Staff Writer, CNET News.com


    Administrators of e-mail systems based on Microsoft's Exchange might have spammers using their servers to send unsolicited bulk e-mail under their noses, a consultant warned this week.

    Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper Thursday detailing the problem, discovered when a client's server was found to be sending spam. Greenspan's research concluded that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.

    "If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."

    The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

    There are dozens of messages--with subject lines such as "Open relay problem" and "We are sending spam?"--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers.

    Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints.

    "This particular method of sending spam relies on specifically configured servers or is leveraging weaknesses in the protocol itself," the software giant said in a statement issued in response to questions from CNET News.com. "The fact is that Microsoft has not received a lot of calls from customers that have experienced problems detailed by Think Computer."

    Moreover, the company said the issue doesn't affect the latest version of the software, Exchange Server 2003.

    Greenspan, however, argued that the problem has accounted for a large amount of unsolicited e-mail. He estimates that at least 100,000 messages spammers in China sent went through his client's server before he stopped the problem. He added that the issue is causing headaches for Exchange administrators.

    "It is really inexcusable for a company that claims security is its top priority," he said.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss: Thanks,

    Never had Code Red - Guest is always one of the first accounts to be disabled - but it didn't hurt to go check......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yeah man, I popped over to my lab box and sure as ****, it worked as stated in the article. I have Exchange 2000 running in my lab just for those who are curious.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Really though, if you're running Exchange in production and you get hit with a viral infeciton, wouldn't it behoove you to reinstall/restore from a good known backup instead of "clean up code-red" and keep on truckin?

    What this white paper says is that if Exchange gets infected, and the admin doesn't do a good job of cleaning it up, then Exchange sends spam.

    Isn't part of a best practice security implementation to rebuild suspect systems? If you've been hacked/infected, what do you do?

    I know what my policy is. It starts with fdisk....

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    While this is definitely an interesting issue, it is just poor administration to leave the guest account enabled. Aside from how you properly clean up after a break in of any type, if you are not checking to make sure that guest is always disabled, you have a lot bigger problems than spam.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    All of you are correct in regards to best practice, however, you must remember that you are the minority. *Many* places do not have savvy net admins or security people who know better. Other places have their receptionist performing IT functions because they cannot afford a full time dedicated admin/security professional. This is reality.

    So in summary, yes, you should follow best practice but first you must know and understand what that is. Microsoft is claiming that security is job one. That would suggest that they aren't just providing enhancements that we understand but rather they are taking measures so that things like this don't end up clubbing their entire customer base over the head.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    I suppose, but Microsoft started claiming security was job one after the two versions of Exchange that are affected by this were made though.

    If unqualified people are performing IT functions and doing it badly, then I think that would have made a better white paper than "This machine got infected, and the secretary went to mcafee.com and ran the free virus scanner and now their machine doesn't work right." That really seems to be the real issue.

    I love how linux and sendmail never get any bad press. Anyone recall india or pakistan (I forget which it was) getting hacked via sendmail and basically having all their nuclear research data stolen. some of it published in Wired magazine I believe? No one said then linux/sendmail is un-secure, they all pointed out that some numb-nuts guy had built the mail server and hadn't bothered to patch it. Ever. Same level of incompetence and result, different take on it. I guess with sendmail and linux, there isn't anyone to really blame or put up a headline on.

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    True, however, the perception exists that *nix users tend to be much more advanced in skill and knowledge whereas MS built its empire on the claim of ease of use and administration. If they are true to their claim, things like this shouldn't be an issue for people who are not as skilled as most folks here on AO.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Now that I will conceed, at least in the desktop arena. However Exchange is an enterprise mail server (granted, most people aren't using it to that degree) but still.

    It almost makes me think they shouldn't sell software to people without a license. Of course then the government would be involved, and who wants that?

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    LOL, sure, the license is an MCSE cert, which everyone knows is worth less than a roll of toiletpaper these days. In fact, I have mine hanging right next to the bowl incase I sit down and the spool is empty.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •