~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Tom Burns" <tburns (at) torcausa (dot) com [email concealed]>
Subject: Exchange SMTP Hole?

: I have an exchange server that's been running for quite
: some time (over a year) and had it locked down to prevent
: relay (spam). It is patched all the way up to 3a.
:
: I checked my queues yesterday and got slammed by
: spam relaying.
:
: Is there a security hole that MS does not know about
: yet in SMTP?????
:
: The only way I resolved this was to block connection
: from 219.x.x.x, 218.x.x.x, 211.x.x.x, etc.
:
: This server has been testing aginst ORDB.ORG
: and shown to NOT be an open relay.
:
: If anyone has any suggestions, please let me know.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Why don't you start by telling us what your actual settings are? What about
logs - why don't you post some logs so we can see what the remote clients
are doing when they try to connect to your SMTP server and inject the mail.
And why don't you post a sample of the spam in question.

Do you allow authenticated users to relay? That would be my first guess -
that you do, and someone has guessed a user/password combination.

Cheers
Ken

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---

[ reply ]