Slashdot Mirror
Mail Server Flaw Opens MS Exchange to Spam
bl8n8r writes: "
Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
YES!!! More ammo to convice my IT department to upgrade exchange so I can connect the Ximian Evolution calendar to it. It's the last hurtle between me and 100% linux on the desktop at work.
Sweet, another one of Mircosoft's quality "features" to help ensure a quality technological experience.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Yes but generally (not always) it's because sendmail is misconfigured, not because of a hole. Now you could make a good case the sendmail is way to complicated to configure from scratch.
Ensure? Insure? Do both work now? Apparently dictionary.com says so.
We came across this at work a few months ago. Turns out its actually a problem in SMTP's RFC. Sendmail and qmail will allow you to do the same thing if you a guest level account made on your *nix box, which scarely enough, many ISP *nix mailservers do. We started checking random client's ISP's email servers, and tho most were *nix, most allowed us to relay with guest.
Code softly but carry a big magnet.
Sorry, I can't hold back, so many Americans get this wrong, you want to ensure that the accounts are disabled.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.
Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.
Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.
Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Was code red really just a tool for spammers?
----
Squirrel
I must admit that the sendmail holes are (mostly) ancient history.
Partly by design (open relays were the way to do it back then) and part mis-configuration.
THe sendmail.mc option conf(`DONT_BLAME_SENDMAIL',...) is amusing though!
What sort of IT group decides to run their Exchange environment unprotected on the internet?
I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.
The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.
So a problem caused by a worm is basically trivial, eh MS?
I like how they cover their ass by implying that the easiest solution is to upgrade to the non-vulnerable 2003 Server...marketing at its best...
It's an issue. But Microsoft is saying it's not a big one.
Open realys are not a big problem? Right.
What Microsoft really means we are making money on it so it's not a problem shut up and go away and leave us alone.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Turn off Guest!
Yes, just like this Exchange flaw happens when you misconfigure exchange by enabling (disabled by default) the guest account. Uh huh. It's not a flaw in the software per say... or maybe it is. The software claim that it's so easy that a moron can set it up. That's it's fatal flaw. And regardless what anybody says, it's a flaw. It's like letting people who have no idea how to drive behind the wheel of a car. You just push the peddles! MS software has to cease to be braindead to be secure. And they can't do that... because then they lose their target market. Ahh stuck between a rock and a hard space.
Windows becomes more like *nix every day!
Windows would actually be a decent product if Microsoft could successfully copy the good unix stuff instead of doing perfect copies of it's flaws and flawed copies of the stuff that works.
To know that you know what you know, and that you do not know what you do not know, that is true wisdom. --Scooby Doo
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "
time for a new prank, we script kiddy types like these reports, they tell us where and how to easily be a pain in the ass. Too bad I'm on the other side of that game now.
-Tim Louden
Reply to every spam by insisting that before you view their email they have to use Exchange to send it; before you will visit their website they have to run IIS. The failure of their business will be assured.
Oh, but they probably already are running IIS and Exchange.
sigs, as if you care.
Now if only we could EMP spambots.
Since M$ windows will not allow you to delete the guest account (or administrator) it is standerd practis,
after disabeling guest to rename both accounts to somthing hard to guess.
It might shock you but on my Linux boxes the superuser is not called 'root' either.
As of Postgres v6.2, time travel is no longer supported.
this issue was never really resolved for exchange 5.5.. but it is simply resolved in 2000 which is detailed here
If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.
- what is the definition of simultanagnosia?! I've been meaning to look it up!
10 hours after BG announced anti-spam protection in Windows something like this comes up. Now they can claim spam reduction just by patching their own crappy software.
Here I thought /. was the source for fair and balanced coverage.
Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.
It is really inexcusable for a company that claims security is its top priority
This is a joke right? I mean, as much as I dislike Microsoft, it would be good to stop free and blank bashing like that. So now, two weeks after they have announced that they will focus security, old security holes (you know, those made before the change in policy) suddenly becomes inexcusable... Pitiful.
It's a little like having bought an UltraSPARC last week and then bashing at Sun tomorrow saying: "This machine doesn't run an AMD opteron. This is inexcusable for a company that claims that they have such a big agreement with AMD..."
Come on guys, they have so many holes to fill, it'll take some time!
Write boring code, not shiny code!
And everyone knows /.ers are retardedly blind sheep, what's your point?
Pretty Pictures!
This is like asking why default passwords exist. It boggles the mind how many users have their default Win2k Administrator account password set to "Admin".
The system should at least make you do a security question, or *something*. Even "type your last name to gain Administrator access" would be more secure than "Admin".
The bottom line is, any sysAdmin who buys a software package because it's got a "security guarrentee" needs to be hit in the face with a hammer, repeatedly.
...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.
As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
You're using her as bait, Master!
This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.
But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.
Perhaps instead of spending a fortune to "innovate" a matrix knockoff (how original) they could spend some money on making secure software.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
No, this is
This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.
Also, The guest account is disabled by default.
Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
If your server has been compromised and you don't take adequate steps to clean it up after that there is the potential that it is still vulnerable.
Mmmm.. Donuts
Should we not be placing the blame on system administrators who fail to perform proper security audits of their systems?
This seems like a very logical thing for one to do after being struck previously by a worm that exploits the system. IMO the fault doesn't lie with microsoft this time, but with the sysadmins who don't have a close enough look at their configurations, and just leave everything to someone else to fix.
BeauHD. Worst editor since kdawson.
The effect of articles like this is making true, realisitic criticism of MS security by Unix users look like the same kind of bullshit we see here.
On Windows boxes the Guest Account is *not* enabled by default. Who on earth enables it? Hint: no-one with a clue (and most without a clue as well, since they wouldn't know how to enable it).
Oh, and if your internet-exposed Exchange server got hit by Code Red and you didn't know how to clean up the resulting mess properly (especially given the timeframe since Code Red was around), then you have a heap of bigger problems...
What sort of crap is this? Why don't we have articles titled "servers with no passwords vulnerable to attack" -or- "servers with backdoors subject to further compromise"?
geez
Hmmm, nice editorial on Exchange, what should I use for a secure product - Sendmail?
/. people should know better than most that you can't retroactively flip a security bit and make past mistakes better, security is built into the product from the ground up. So why do you expect it from Microsoft?
And please stop quoting out of context, it was always said the focus on security was for new products. Exchange 5.5 is hardly a new product. Find a problem in Exchange 2003 and then you can complain.
Read reviews of shopping cart software
Rename.
Sheesh, doesn't anyone else get tired of being killed by the default configuration?
It's not just Microsoft who forces you to upgrade, everyone does. The difference is Microsoft charges you for it.
Wow.
Is that the Engrish version of AOHELL you're using?
Not only did you get the quote wrong four times, but it's not even a quote from Microsoft software!
wtf are you talking about.. and why are you modded to 5?!
deserves to be shot. The only way you'd ever convince me to even let an exchange go up is if it was strictly internal use, and COMPLETELY firewalled off the net. Even then i'd be nervous.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Well.. I do Trust MS's software.... I Trust it to be insecure :) Thats Trustworthy Computing! I am sure MS will Never Fail the level of trust I have in them :)
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.
Me fail SMTP security? Thats un-possible!
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Why don't we have articles titled "servers with no passwords vulnerable to attack" -or- "servers with backdoors subject to further compromise"?
:-)
I just submitted these...stay tuned
That was Berzerker that said Intruder Alert.
I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).
I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).
We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.
My 2 cents...
I once made the mistake of trying to change the postmaster password on exchange 5.5 after previous admins left the company rather rapidly. It can't be done without breaking things - check the microsoft docs. Once you work with exchange at a site, you are a suspect the next time a script kiddy breaks in, or even if a competitor finds out something that could have been in an email. Installing exchange has major potential personal consequences unless you can be certain you will be working at the same place for a few years, and unless you can be certain that management is going to like you for a few years. Not changing passwords after staff are marched out of the building without notice can be seen as the act of an incompetant, unfortunately the software constrains us to be incompentant. As far as management is concearned, if we can't push a solution that works we are not doing our jobs - and I have to agree with that and do what I can to approach the ideal. Quite frankly MS Exchange does not do it's job, since the wrong ex-employee can get access to all the companies email if they can get onto your network. That can cost a lot more than an Exchange licence.
People who knock linux as an upstart should recall that Microsoft came late into the server market, and even with the rights to VMS they still haven't got it right. It's getting good, and their starting to focus more on getting the product right, but it's still a desktop operating system trying to take on a heavy load. The important thing is the applications, and Exchange has a lot of problems for a mail server aplication. It has a much nicer admin front end than sendmail - but a lot less functionality.
So, software that is years old is insecure. Not a big surprise. Install any Linux distro that is years old and you're going to find security holes as well.
Also, what software at Microsoft says it's secure? The only thing I can think of is MBSA and that pretty much just tells you if you have all patches installed. Notice how Exchange 2003 doesn't suffer from this problem. Also, it relies on a misconfigured server or a server that was previously infected from code red. This feature is off by default. IMHO, if your machine was infected from code red, it should have been re-installed.
Install an insecure CGI on your Apache server and watch what can happen.
Woo woo, big news...
-Shippy
I don't really see your point. Postfix and sendmail, two commonly used mail servers on linux and unix also, if not correctly administered, allow SPAM to be forwarded through them as well.
Ah, my child, but they are not Micro$oft products. Therein lies the nub of the matter, the delineation between yin and yang.
Tubal-Cain smokes the white owl.
The sender is bluestel!!@*.*? With the !! changing randomly and the domain changing randomly through a list of large ISP's?
Actually, it was just "Berzerk". Not to nitpick or anything :-)
Password shadowing only protects the password-hash part of /etc/password and not the list of usernames and uid's.
man 5 shadow
As of Postgres v6.2, time travel is no longer supported.
Just read the any comment +3 or higher and you'll know why. It's just some n00b rippin on someone that doesn't know how to administer his own server.
A closely related analogy:
I work in a small computer repair shop. Every so often, some kid(i use this term loosely, agewise) walks in and buys ~$700 worth of computer gear thinking, "ya, i can put this together... it's a computer, i can write a mIRC script, how hard can it be?" No less than 2 days later, the same kiddie comes back "I put it all together and it wont turn on!!! Save my computer!!!" or the more popular "You sold me a bad motherboard(thats when I really humiliate them)!!!" It looks just slapped together- 8 out of 10 times they dont use spacers for the motherboard, and I can usually revive it. The other 2 times, they put the processor fan on backwards onto their AMD 2800+, getting it to the point where it would turn on, but not give any display- let alone POST. They try 1000 different things, never checking the CPU again- and FRY it.
Anyways I got waaaaaay OT, but my point is if you're gonna run a system and GIVE A SHIT ABOUT IT, PLEASE FOR THE SAKE OF HUMANITY, DISABLE YOUR GUEST ACCOUNT!!!!!
-D
Doh! I couldn't quite remember and did a search for "Berzerker" first. Apparently I'm not the only one messing it up out there. Guess I should have checked both ;).
The main thing I remember from that game is how annoying that bouncing smiley face was.
I agree. I enjoy a good debate as much as the next person but these constant attacks on Microsoft products and the people who use them I quite frankly find tiresome. You, and I, of course, have the right to an opinion and the right to express it. I have the right not to listen to it and also note that I came here to /. of my own freewill. Having said that if you have a problem with MS products then there are plenty of alternatives and you are free to use them as you see fit. Accusing MS users in general of being too stupid to use a proper/more secure/cheaper/non-MS/nonopen-source/insert-your-c ause here piece of software is an offensive generalisation. They can and may be many reasons why people use one tool or another and they may or may not have anything to do with which is "best". That is all
it's microsoft, duh!
Argosoft seems to be better than MS if u must use windows.
Otherwise, *nix will do fine and best of all, it doesn't have the other bugs nor license costs to worry about.
Oh pretty, pretty please... What happened to sysadmin?
This is an SMTP AUTH problem and any mail server which permits relaying using SMTP AUTH and doesn't filter by source IP is open to this type of abuse. Exchange is more susceptible to this attack than other mail servers because there are predictable account names which can be brute forced and SMTP AUTH is enabled by default. It is simple to turn this off.
What is the big deal?
It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."
w00t! :)
According to the article, "his client's server must have sent 100,000 spams before he caught the flaw and disabled the guest account"... If I were him, I would have never reported that I failed to disable the guest account right away, thereby avoiding a slew of potential security holes. I think I learnt to do this in my first year in IT.
wwwhew
It's an admin problem. Like any OS or application, there are/where bugs in the software. MS, the manufacturer, released a patch/update to fix this one hole, but if the admin didn't apply it, it obviously didn't work. Seems to drop the blame squarely on the admin here.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."
Um, excuse me? Any idiot with more than 7 days experience administering a Windows server should know that the Guest account is BAD BAD BAD.
By definition "Guest" doesn't require successful authentication to access resources. The entire reason "Guest" exists is to provide un-authenticated access to resources.
I can read bugtraq as well as anyone else, so I'm aware of the past history Microsoft has with the security of its products. However, no sane person could reasonably attribute this "flaw" to Microsoft software. A more apt description is "Flaw in MS Exchange 5.5 and 2000 Administrators".
I mean really. It's like setting a Windows Domain Administrator account password to "Administrator" or "password" (another major cause of Exchange-based spam. Grep USENET and MS KB's for UI).
No software yet written or ever to be written in the future can make up for mistakes, oversights and sometimes just plain stupidity of humans.
Janie took my gun...
shit youre right see how damn old I am I think Ive been struck by some form of male menopausal lou gehrigzeimers disease or something
MoFscker
Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".
In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.
In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.
If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.
Mea navis aericumbens anguillis abundat
"The story of my life? Go watch Hackers"
your life is rolling around on blades with ghastly clothing taste, listening to early elastica?
oh and if you were banned from your computer untill recently how do you know that 2k is better than 5.5?
"If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled. "
What insurance policy would that be on sir?
I think you mean "you may want to ensure..."
..Exchange servers that had been infected by the
Code Red worm and subsequently cleaned will still have the
guest account enabled...
Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.
Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.
As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.
---- It won't be as bad as you fear or as good as you hope, but it will take twice as long as you plan.
The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.
the article says:
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall,"
I wondering, and especially so following their ridiculous bounty on the head of virus writers propaganda stunt, if we (all users, but especially mail server administrators, network admins, ISPs) could all get together and sue M$ for gross negligence and deception, hell! even fraud for the allowing programmes that facilitate the spread of viruses via email and dodgy mail servers that have hole that propagate span.
Only a small ISP but it's cost us quite a bit already in terms of wasted bandwidth through SPAM and customer support for these viruses?
Is it possible?
Do people really run Exchange on the open Internet? I doubt it. If they do they deserve the consequences. Web mail maybe. Exchange no.
It's not how much they've bit off. They have a big mouth. It's the corporate mentality. It's very manipulative. You can't have gurus in that climate. Bill has to be top dog no matter what, and Bill can't distinguish droppings from shoe polish.
The two are interchangeable, even in American dictionaries. Look before you leap. You may have a foot in your mouth.
i on ary&va=ensure
http://www.m-w.com/cgi-bin/dictionary?book=Dict
I hardly think an open Guest account is a security problem with Exchange server. It's more a competance problem with the server's administrator. A lot of systems have a Guest account - if it's enabled, Guest's will get in - that's what those accounts are for!
If by ancient history, you mean September 2003, yeah sure, Sendmail holes are ancient history.
Je ne parle pas francais.
DEAR MS SECURITY TEAM
;)
1'VE BEEN HIT BI A VIRUUS! NOW MY WINDWS HAS A *PENGUIN* INSTED OV A START BARR!1!
AND NOW WEN I GET MIKROSFT UPDATES LIK THISS THEY DO NO RUN ON MY COMPOOTER!!!1!
HOW DU I MAKE MY COMPOOTER RUN THEESE UPDATES?!1!
This is where the serious fun begins.
Buy a litre of milk and you get to drink it once. Buy a cow and you get to drink all the milk you want. Easy decision, no?
:
There's something to be said for ease-of-use though. To run with your analogy here
You buy a litre of milk, you drink your milk, you're done.
You buy a cow, you get as much milk as you like, but you have to feed the cow / maintain the cow / milk the cow and without the proper equipment (and a little training) you can wind up in trouble.
People just want their milk, and if there's a one in 100 chance the milk they buy today has gone bad already, well they just think about the other option and deal with it.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
There is no formal difference. But some people use enquiry for a simple question, and inquiry for a formal investigation: "He enquired where the Inquiry was being held."
I agree with what you say. When I say what I'm about to say, please don't interpret it as disagreeing. I'm just asking if the antivirus software is able to help out, by going above & beyond the call of duty.
It would be nice if the virus software would alert the admins to the possible change in settings, & offer to disable the account. In fact, I would rather have the software disable the account by default. When people complain, then enable the account. The idea is that they should be on the safe side to avoid sending us spam.
Just my 2 cents.
testing out my trending skills
That's what I do. Only thing the spammers see is a ASTARO Security Linux. Which for the 12 person remote office, was the best purchase we ever made. I don't really worry to much about Exchange vulns. Especially since the last patch killed the Exchange server, and I had to come up off backups. For a network admin with better things to do, Astaro Security Linux is great. When my larger network at a very renown hospital system was dealing with viruses and everything else, the remote office didn't see a single infection, even though they connect to the larger network. Thank you Astaro.
There are probably a dozen free mail servers that are smaller, simpler, faster, and more reliable. Servers that don't open you up to problem after problem caused by the insane complexity of the design.
The reason people keep coming up with is, you need Exchange to get the most out of Outlook.
Which has to be the silliest reason I can imagine, because if there's been a bigger security network security problem over the past half a decade than Outlook, I don't know what it is.
You might as well argue that without winter you really can't get the most out of homelessness. Without dirty needles, you can't get the most out of drug addiction. Without gang warfare, you can't get the most out of overcrowded inner cities.
HELLO, THIS IS THE CLUE FAIRY KNOCKING ON YOUR DOOR: don't use Outlook, don't use Exchange. Go ahead and use Windows if you must (and you pretty much have to, these days, I read it in the paper just the other day), but there's no reason you need to take bad smack just because it comes with the neighborhood. Almost all the mail servers and clients you might want to use have already been ported to Windows, no matter what OS they were originally written for.
This shouldn't be hard for people to wrap their heads around, but... somehow... people keep going back to the Microsoft connection and shooting up with dirty email software...
Find me a linux app that integrates with the most popular and widespread office suite in the world, that allows me to assign tasks, share calendars, keep track of documents/revisions, and has a zero learning curve for the entire office staff that's already standardized on an existing product?
Find me any app that can do the above with zero learning curve. If Microsoft had any product with zero learning curve, it would probably reduce their TCO 50-90%! Imagine replacing all of your exchange admins with wino's pulled off the street and have them be automagicaly proficient and productive!
Apocalypse Cancelled, Sorry, No Ticket Refunds
Sample logs:
Confidential bidness offer! *Blocked*!
Get big and stupid! *Blocked*!
Zombie Worm Update *Blocked*! Linux distro mailing list [11/18] *Blocked*!
One line blog. I hear that they're called Twitters now.
By attempting to take over every single area of the software industry, they have bitten off way more than they can chew.
Not to mention that every software intallation or update creates a new system for all practical purposes, because every thing is so tightly integrated, and interdependent it's no wonder that simple changes have system-wide unintended side effects.
Apocalypse Cancelled, Sorry, No Ticket Refunds
However what I want to know is why you continually refuse to admit that you are a flaming homosexual pedophile. You know the first step towards recovery is admitting that you're sick, so why can't you just come out and say it?
Even better - distribute patches via kazaa or through a worm.
sig?
"Microsoft, however, said the problem is relatively minor and that the company hasn't had many complaints."
becomes p>"Microsoft, however, said the problem is relatively minor because the company hasn't listened to many complaints."
If you were blocking sigs, you wouldn't have to read this.
we have bosses who do the decision making. yes, they may listen to us, but ultimately it is their decision as to what gets implemented.
we ran into this exact same situation here at work with Exchange 5.5(yes, I've been trying for years to get my owner/boss to switch to ANYTHING other than Exchange) when we found out that it defaults to 'open relay' and you CAN NOT TURN IT OFF. every version of Exchange after 5.5 you could turn it off but not 5.5, we eventually switched to Ipswitch's iMail server and havent been happier!
this sucker is locked down from everyone/everything and has great spam filtering built-in.
and yes, even when we ran Exchange, the server was behind a firewall, and no, we didnt get hit by Code Red
the history of the world
Why dont we try to go one day without bashing MS. How about one day with unbiased news?
People put their Exchange server directly on the Internet??
This sig is the express property of someone.
That's cool and stuff, but it's totally wrong.
I once made the mistake of trying to change the postmaster password on exchange 5.5 after previous admins left the company rather rapidly. It can't be done without breaking things - check the microsoft docs.
In 5.5, it's cake to change the service account password (I presume that's what you mean by the "postmaster password" since postmaster is generally just an email address on your service account). This functionality is even made available directly in the Exchange Admin GUI!
And in Exchange 2000 and 2003, it's a totally irrelevant argument because there is no manually-maintained service account to change the password on.
Quite frankly MS Exchange does not do it's job, since the wrong ex-employee can get access to all the companies email if they can get onto your network. That can cost a lot more than an Exchange licence.
In a poorly administered environment (say, not disabling administrators after they've left), you could substitute *any* OS or mail application for "MS Exchange" in that sentence. It is certainly not related to Exchange in the least...
We haven't run a Groupware SMTP server exposed to the internet since our very first one, the DOS SMTP gateway for Groupwise cira 1995.
And it wasn't even security per se that caused us to stop, but the dreadfully untransparent logging and tools available for logfile analysis in everything (GW STMP NLM, GWIA NLM, and now E2K).
Even though E2K's Message Tracking is nice, it's still not as flexible or as transparent to debugging as flat logfiles of our FreeBSD systems. Plus you get the added benefit of being able to sniff the network interface to find other, weirder glitches.
The big driving factor now, of course, is security and the ability to keep E2K from exposure to the internet.
I'm not surprised at the people that still run it exposed to the internet, though. There's a whole host of biggish small companies that simply won't pay for seasoned admins, just talented desktop support people who can manuever daily admin duties and call in consultants when something "complicated" has to get done.
But you obviously cannot be trusted with it. I am afraid that the liberation of America will have to come from the outside, as most americans are too fat to fight for their own freedom (and too dumb too).
If M$ apps have a zero learnign curve, why is there such a flourshing industry around M$ admin training (e.g, a Google search for "Exchange Admin Training" returns 474,000 hits).
Let's face it, M$'s (and most other large software companies) poor quality (in products, in documentation, etc) is the driver for a number of secondary industries. It's the real core of their business model, and it's one they've been nurturing for 15 years.
What I like about OSS is the fact that I can generally find the most obscure, detailed technical fix FOR FREE, fairly quickly by doing a couple google searches. The M$ model is based on service contracts (*ching*), support vendors (*cha-ching*), and over-priced consultants who are for the most part, idiots (*cha-cha-ching*!)
In short, I agree, sendmail is something I don't want to deal with (security record and simply it's very old and clumsy, including configuration). I stick with Exim instead, which I find very superb and easy to use and extend.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
"vulnerable versions of Exchange"
Redundant phrasing.
Exchange has been an open relay since day 1. This really isn't anything new here.
Security, or the lack of it, is one of the most serious issues currently plaguing the IT industry. I've worked for both sides, an ISP and, during my economic down turn hiatus. I worked for a telemarketing center for M$. Shudder. The problem is, most small companies don't even know that any security issues even exsist. They don't know who to hire to find these security issues, nor do they even care to fix them.
The security issues while working for M$ were as follows, a poorly written asp served database w/ a sequel back - end. Input boxes were not checked, so even the default login page was susceptible to buffer overrun exploits.
The database was publicly avalaible on the internet using public dns, no vpn, no IP based firewall rules.
No internal e-mail for employees, because it was deemed a security risk. So passwords were distributed to new employees on paper, managers printed off pasword lists of all emplyees on thier team and handed out these lists of passwords to everyone.
Floppy drives were bios disabled, again - deemed a possible security risk, No bios password was set however.
WAP network, 802.11b, encryption was disabled to save bandwidth, not enough WAP routers serving too many clients.
They ran out of internal IP addresses several times, there were less than 250 workstations per WAP.
Yes DHCP, yes dynamically assigned, no static assignment based on mac address.
Yeah so that environment was entertaining, M$'s entire customer database was published to the internet in the most insecure network I have ever encountered.
But this is the problem with the majority of the IT industry. Small buisnesses w/ 500 employees or less, a poorly trained, dangerously inept support staff, forced into support roles that they are unqualified for.
Until software manufacturers realize that they need to make thier products for the lowest common denominator this will remain to be a huge issue.
___________________________
I'm not a geek, but I play one on TV.
"And since exchange is rampant in Corporate email servers, the spam problem is not going away. Most of the paper tigers out there running the exchange servers haven't got a clue on how to lock down a system."
I really have to wonder - - do you, or does anyone else here, really KNOW most of the people who run Exchange servers? Open Source folk as a population are as prone to speaking in meaningless generalizations as anyone else.
I don't think I'm all that rare insofar as I've been a *nix fan since the 80's, but I still have to take care of some Microsoft servers. I don't claim to be, nor do I aspire to be, fully knowledgeable on all MS products, Exchange included. But when there's work to be done, I do know how to use TechNet. And, funny thing, the procedure I follow for researching and solving problems in MS is pretty much the same as I follow when working in Linux.
It gets old hearing people say things like, "Most people who run Microsoft networks are missing a chromosome and got their training at a Jack-in-the-Box in Missoula." Personally, I think ALL of the people who make these generalizations run the risk of being put to shame by some Unix dude who happens to have an MCSE. Show me a guy who has run a mixed-breed network, virus- and hack-free for years at a time, and I'll take him before a Linux purist any day of the week.
It's only funny until someone gets hurt. Then, it's hilarious.
Actually, I'd like to see someone accidently configure Postfix to relay spam. It's pretty damn tricky to do that on purpose, much less accidently.
If corporations are people, aren't stockholders guilty of slavery?
These people just need to firewall port 25 and the problem is solved. Remember folks ... security == firewall!
Greg Whalin
greg@whalin.com
does slashdot have a style guide for the editors? if so, can you either (a) make sure the editors read it, or (b) add a section about `insure' vs `ensure' (and `assure', while you're at it...)
the pedantic...
"Junior at Harvard" discovered "fake-mail" on exchange!!! He's about 15 years too late. The ability to send forged mail started with unix sendmail platform and "flawed" into other e-mail systems. Even junior exchange admins are aware of the default settings that allow relaying of messages and this was documented long time ago.
>"show me all of the messages sent through server x that were to or from user y" Your solution is typical of the much superior linux world - it does not address the problem, but that certainly didn't stop anyone from getting all cocky. :/
> I thought /. was the source for fair and balanced coverage.
Ah, you must be new here. Welcome to Slashdot. Anything Microsoft do is automatically wrong here, even if it's right. If MS were to eat the RIAA for breakfast, that'd be wrong. If MS were to overturn software patents, that also would be wrong. Coverage here is fair and balanced if you're not Microsoft. Or SCO. Or *AA. Or....well, just about anyone really.
It's not even fair and balanced if it's Linux. Anything ESR, FSF or Linus do is automatically right, even if it's wrong. If Eric bombed Washington DC, that'd be ok. If Linus joined the Taliban, that'd be cool. Linux is always better than Windows and OSS is always better than CSS, even if they're actually crapper.
Also, such twaddle as "In Soviet Russia, MS Exchange configures YOU!", "1. (anything) 2. ??? 3. Profit!!" and "I, for one, welcome our new (subject of the day) overlords" is funny.
While we're on the subject of Exchange, the Connector will also enable you to use Evolution with the Kolab server, IIRC, thus allowing you to chuck Exchange entirely.
Need a Linux consultant in New Orleans?
So what they are saying is if you open a guest account for anonymous use, you can send email anonymously...brilliant...what a genius....It's the administrators fault not microsoft. I am sad to say.. but microsoft should flesh out some ACL's for that feature anyway. say only guest users from whatever interface can relay mail.
Microsoft aggravates my tourettes syndrome.
The article alludes to some sort of security-checking tool provided by Microsoft on its web site:
The server has the guest account disabled by default. The guest account gets turned on by Code Red infection. This tool still reports the server as secure despite the guest account being enabled. Isn't the problem simply with this tool?
Obviously the admins are responsible as well, but if they're depending on a faulty tool provided by Microsoft then it seems pretty easy to excuse the admins. It also seems wrong to blame Exchange, though it's still Microsoft's problem/fault.
Utter bullshit. The whole point of SMTP AUTH is that relaying can be permitted for authenticated users, without restriction on IP address (think Road Warrior for example). This problem has nothing to do with guessing account names or brute forcing passwords - essentially what is happening is that any user/pass combo is being accepted for SMTP AUTH, due to the guest account.
last week one of my tech support clients had problems with spamm scum using his xchange to relay junk. the xchange box sits behind a linux box and they had only a SNAT redirecting port 25 to the M$ box. vulnerable as hell.
/etc/postfix/transport:
.domain.com.br smtp:[exchange.domain.com.br]
/etc/hosts
what I did: postfix, clamav, amavis and the following configuration:
in main.cf:
myhostname = server.domain.com.br
mydomain = server.domain.com.br
myorigin = server.domain.com.br
mydestination = $myhostname, localhost.domain.com.br, localhost
relay_domains = domain.com.br
relayhost = 10.0.1.10
mynetworks = 127.0.0.0/8
mydestination = $myhostname, localhost.$mydomain
alias_maps = hash:/etc/postfix/aliases
transport_maps = hash:/etc/postfix/transport
smtpd_helo_required = yes
body_checks = regexp:/etc/postfix/regexp_table
header_checks = regexp:/etc/postfix/header_table
smtpd_sender_restrictions = hash:/etc/postfix/access
in
domain.com.br smtp:[exchange.domain.com.br]
and in
10.0.1.10 exchange.domain.com.br
and that's it. relay closed.
What ? Me, worry ?
I'm the first to lambast Microsoft, but this is just stupid. The real problems with MS are diluted by this kind of selectively interpreted story...
Think.
There are kinds of flaws that chroot jails can defend against, and it's certainly worth building separate environments for different applications to limit the effects of attacks, but that won't help you for this kind of attack (e.g. a similar abuse of sendmail.) The problem is that the miscreant can talk to the email server and ask it to forward mail, all of which the email server is doing under its own privileges - chroot can prevent the email system from being used to attack DNS, but not this. Similarly, the SQL Slammer worm was a very clever hack that took the SQL server and tricked it into sending out packets as itself - a chroot equivalent for MS wouldn't have stopped that either.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's the countless security holes in all of Microsoft's servers and email programs that are solely responsible for a huge percentage of all the spam and virii in the Internet world. Care to prove me wrong?
I was gonna say something, but what do you know, technically both are correct here.
Isn't it MS feature ? We already know that MS alawys put cool feature for cracker, spammer and bunglar ?:)
I speak from experience here, myself and a co-worker with more exchange 5.5 experience changed the password, which disabled exchange. We spent some time wading through microsoft documentation, and some money on outside advice - and both sources gave us the same information, that a "feature" of exchange 5.5 is that you are stuck with the original password forever. Those particular installations were upgrades from 5.0, so that may have something to do with it, but there can be no excuse for Microsoft leaving such a major security hole there for years.
My point is that exchange 5.5 gives you no choice but to have a poorly administered environment. If you can't change passwords after people leave that leaves all kinds of potential problems, and if people can't change passwords after you leave it leaves you open to future blame and potential legal problems.People notice when mail doesn't get through, so with exchange you need to be in early each day to be sure that the services all came up again after backup. Other mail transfer agents let you back up mailboxes without having to shut them down (because they actually ar mail transfer agents - not some mess of poorly documented interconnecting services). Having to spend a lot of time just keeping three lightly loaded Exchange 5.5 servers going makes a system administrator look bad when there are a lot of other systems that need attention. I haven't looked at later versions of exchange at all - previous versions didn't do the job well if you only wanted a mail tranfer agent, and it would be difficult to put a business case together to justify the cost of the current exchange as a mail transfer agent (you can only use the old "No-one ever got fired for buying IBM" ad that has been updated to replace IBM with Microsoft).
HAHA! Thanks for the "overrated" moderation!
Put a postfix mail server in front of it ;P. Or ditch it altogether.
This is additional proof that Microsoft will NEVER fix its bugs. The main reason for this is that Microsoft simply cannot do it. By attempting to take over every single area of the software industry, they have bitten off way more than they can chew. They simply have too many products that do too many things, and there are not enough programmers to handle the task of making that stuff work correctly, much less to make sure it is secure.
I mostly agree with what you say here, but what if they started over from scratch and reverse-engineered their own products?
This signature used to contain a cute kitty virus with ansii art. Please set the slashdot editors on fire. Thank you
>It's easy to change it, but things just stop working due to authentication errors.
; en-us;157780
Sorry for the long delay in my reply, but I absolutely have to post a follow-up. This is 100% not true. You can change the password just fine, and so long as you do it correctly, absolutely everything will continue working. I've done it dozens of times.
Here's the KB article that walks you through all the steps to change the password without incident: "XADM: How to change the service account password" - http://support.microsoft.com/default.aspx?scid=kb
Is it possible you're thinking of changing the actual service account itself (using a different account)? This can be done in a pure Exchange 5.5 environment, but as soon as you implement Exchange 2000/2003 in the same organization you can no longer change the account itself (you can still change the password). If you change the account after bringing in Exchange 200x, the MTA will stop functioning, and you're sure to get event 8213 CDO errors from MSExchangeFBPublish.
>People notice when mail doesn't get through, so with exchange you need to be in early each day to be sure that the services all came up again after backup
Not meaning to pick on you specifically, but this is a perfect example of the "poorly administered environment" I was talking about!
Why are the services being stopped at all?! Exchange has a built-in "online" backup mechanism that takes care of data validation and logfile maintenance. Stopping the databases to do a flat-file backup is a very risky way to backup your Exchange server, and not just because some script you've written to restart the services doesn't always work right!!
In any case, for the other points you've made -- you're probably right. Exchange 5.5 is not a great standalone mail-transfer-agent. It's not intended to be! It's intended to be a groupware/collaboration server that handles all aspects of email/calendaring/contact management in concert with Outlook. Later versions of Exchange make tremendous improvements, but it's still not designed strictly for mailflow. If you want a lightweight mailer, best to stick with Windows 2000/2003 SMTP service or something like Exim.