Hi!

I had same problem 1 month ago but I couldn't find any information
about spam relaying. A lot of spammers are looking for SMTP servers
(exchange) and they are using SMTP service to mount brute-force
password-guessing attacks against well-known accounts on those
servers. That's right: Instead of attacking the increasingly
well-defended Windows remote procedure call (RPC) services that most
organizations use for logon authentication, this attack sends a
barrage of SMTP AUTH LOGON commands until one succeeds.

"But wait a minute," you say. "Exchange Server 2003 and Exchange 2000
Server have relaying turned off by default!" Yes, they do--for
unauthenticated users. But if a spammer manages to snag an
authenticated user's credentials, the spammer can authenticate to your
server and use it to blast out millions of spam messages.
(thanks for Joe and Andy Webb)

What can you do? I managed my SMTP Virtual Server. Properties - Access -
Relay restrictions -
and I grant permission to IP's from my LAN (192.168.0.0 255.255.0.0)
You wrote that you block the connection from different hosts. I'm sure
that will be easier to permit addresses from your private network

You have to change passwords for administrator and force users to change
passwords.
I suggest ypu also to change passwords policy.

I hope it will help you for a moment...

best regards

-----------------------------------------------------------------
| marcin firlag; nework admin; | || || |
| gg: 371438; lru: 199158; | || || |
| cell: +48692479758 | |||| |||| |
| www.hhc.pl; www.tribaseline.com | ..:||||||:..:||||||:.. |
| Microsoft - because god hates us | |
-----------------------------------------------------------------

-----Original Message-----
From: Tom Burns [mailto:tburns (at) torcausa (dot) com [email concealed]]
Sent: Tuesday, November 11, 2003 3:00 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Exchange SMTP Hole?

Good morning all,

I have an exchange server that's been running for quite some time (over
a year) and had it locked down to prevent relay (spam). It is patched
all the way up to 3a.

I checked my queues yesterday and got slammed by spam relaying.

Is there a security hole that MS does not know about yet in SMTP?????

The only way I resolved this was to block connection from 219.x.x.x,
218.x.x.x, 211.x.x.x, etc.

This server has been testing aginst ORDB.ORG and shown to NOT be an open
relay.

If anyone has any suggestions, please let me know.

Thomas A. Burns
System Administrator
Torca Products Inc.
Auburn Hills, MI 48326
248-373-8300 x186

------------------------------------------------------------------------

---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------

---

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---

[ reply ]