Email Panick

[OverdueSpy]

Originally posted here by RoadClosed
I am burnt, fixed and cleaned. I had and authenticated relay so I got had by some poor password maintenance. It looks like the spammer authenticated my local box admin account with a bot. How you ask? Got me didn't know that could be possible through telnet? I now see some lacking in Exchange knowledge that I must fix. I had log entries of //MachineName/Administrator popping up the 1708 id. The cleanup was ugly I am tired so I'll talk more on it tomorrow if anyone want too. You can all beat me with the AO stick of justice.

Hey Road - I try to mitigate the risk to the admin account by changing the admin account name to something cryptic, and I also give the account a very complex password. Now that the default name for the admin account is no longer valid, all telnet attempts to the "administrator" account will fail. I also have my IDS systems sniff failed FTP logon attempts, which helps me to resolve/trace telnet attacks against the admin aco****.

The view of "an ounce of prevention is worth a pound of cure."

Not trying to be preachy Road. I learned the hard way once also. Grrr!

[RoadClosed]

Yawn. Sorry for the bad grammer, I re-read my last post and thought, WTF?

First thing, I didn't know it was possible to use a local account to athenticate exchange from port 25, over sight? I am no exchange guru for sure. I followed Microsofts lock down check list for Exchange relaying after the box was built by another person. In there checklist the default setting is to allow authenticated relay when ANY user successfully authenticates. Complacent oversight Number 1. Here is the line (ms site down, post link later), now anyone paying attention would ask... why is that especially since this is the only server for the organization.

I have exceedingly difficult passwords on local admin accounts, except this one. Since I didn't build it, I took the baseline config sheet given to me and filed it. Oversight Number 2. I am not blaming the tech who built it, but my complacent trust enabled a bot to send a few million viagra adds. Talk about pissed off.
A few days ago I noticed and increase of disk space, quite a large increase. I concentrated on the information store and assumed a couple of email abusers were the cause. I did not look at the bad message que wich was oversight number 3, and is where my lack of specific knowledge in the exchange engine was lacking.

This is a temp box while the cluster was taken down for a hardware upgrade. Seems like you see that alot, stuff moved to a less secure temp box. And in hindsight you say, duh. And beat yourself over the head with a bat. All the IDS connectors and Security event monitoring is on the Cluster. But as always there were clues that got lost in the daily grind.

I'll get the IP of the spammer, will be a bit later since I have to go tell the CEO what happened.