Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mail Server Flaw Opens MS Exchange to Spam

Posted by Cliff on from the close-those-guest-account dept.

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

16 of 487 comments (clear)

  1. Re:Read the fine article. by bgog · · Score: 4, Funny

    I did read the article and am fully aware of it's implications. However... SHUT UP... I'm trying to get them to upgrade! :) SHHHH

  2. Re:the windows matrix by Anonymous Coward · · Score: 0, Funny

    Now if only we could EMP spambots.

  3. Re:More FUD for the Linux Side by Anonymous Coward · · Score: 4, Funny
    Here I thought /. was the source for fair and balanced coverage.
    You're new here, aren't you?
  4. Re:Ensure by ottawanker · · Score: 1, Funny

    Well, with Microsoft, there seems to be no way to ensure that you won't get screwed, so you had better start insuring yourself against getting screwed.

  5. Re:Ensure by Malc · · Score: 2, Funny

    Insure is also a verb! I insure, you insure, we all insure to ensure financial security.

  6. Re:Sweet by Frymaster · · Score: 1, Funny
    Sweet, another one of Mircosoft's quality "features" to help ensure a quality technological experience.

    actually, given the track record of sendmail on the security front i think i'm just going to keep quiet about this one....

    --

    2 1337 4 u!

  7. Re:Everyone's Answer = UPGRADE! by Anonymous Coward · · Score: 1, Funny

    It's not just Microsoft who forces you to upgrade, everyone does. The difference is Microsoft charges you for it.

  8. Impressive. by Anonymous Coward · · Score: 0, Funny

    Wow.

    Is that the Engrish version of AOHELL you're using?

    Not only did you get the quote wrong four times, but it's not even a quote from Microsoft software!

  9. Re:Guest account by Aardpig · · Score: 1, Funny

    But the name is listed in /etc/passwd, which is world-readable. How does this help you?

    What, you've never heard of security through hubris? Its identical to security through obscurity in all respects, apart from the fact that implementer has to regard himself/herself as a 1337 h4x0r.

    --
    Tubal-Cain smokes the white owl.
  10. Re:Balance by FreeForm+Response · · Score: 1, Funny

    /. people should know better than most that you can't retroactively flip a security bit and make past mistakes better...

    Au contraire...
    RFC 3514 -- Security Flag in the IPv4 Header
    You may not be able to flip a bit, but you can always just detect one. ;-)

  11. Re: indemnity? by Black+Parrot · · Score: 5, Funny


    > Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.

    Yes, they agree to only charge you one license for the unauthorized use of 'guest', no matter how many spammers are actually using it.

    They also agree to send someone to show your PHB some overdecorated ppt slides about how secure their software is, if incidents like this have him thinking about switching to another software supplier.

    --
    Sheesh, evil *and* a jerk. -- Jade
  12. Re:Read the fine article. by dipipanone · · Score: 3, Funny

    No, it's turned off by default

    OK, I eventually got that for most people, it was probably turned on by a Code Red infection.

    I'm still curious about what potential purpose such an account would serve though? Is it necessary for internal housekeeping or something?

    which you would know if you had bothered to read more than the one comment you were replying to

    What, you mean that as well as R'ing the F'ing A, I'm also obliged to R *all* the F'ing C's as well?

    You are joking, right?

  13. Re:Ensure by Anonymous Coward · · Score: 1, Funny

    What would an ensurance company do? Ensure things presumably...

    "And what if a fire breaks out at our warehouse?"
    "Don't worry, sir, we can make that happen next week."

  14. Re:Read the fine article. by Anonymous Coward · · Score: 2, Funny

    "Exchange admins" ?

    ugh? There are actually people who have this title and like get paid for it?

    What's the job description?

    "
    Must have somewhat memorized a bunch of (exchange) gui screens and know how to click mouse. Token certificate of some type or online degrees from "accredited" universities are nice and make the HR people we employ titter. Good with microsoft wizards and skill with pleasing buzzwords preferred. Must not laugh when manager says things "Tiger Team meeting", "Warm fuzzy around the problem", "Have a dialog" or the like.
    "

    But wait that's pretty much the job description for 95% of all Microsoft jobs

    What would the GNU equiv be?

    "
    Must know how to administer all services on typical *nix box from command line, know C, vi, have GNU beard, and actually be prepared to do some work.
    "

    dunno

  15. Re:Read the fine article. by rifter · · Score: 3, Funny

    "No, it's turned off by default"

    OK, I eventually got that for most people, it was probably turned on by a Code Red infection.

    I'm still curious about what potential purpose such an account would serve though? Is it necessary for internal housekeeping or something?

    "which you would know if you had bothered to read more than the one comment you were replying to"

    What, you mean that as well as R'ing the F'ing A, I'm also obliged to R *all* the F'ing C's as well?

    You are joking, right?

    Nope, to earn the right to post on Slashdot, you must read every comment, the whole article and all the links. Then you should read the man pages for every *NIX, the whole of Microsoft Technet, and all of the RFC's. That done, you may return to post. What you say?! Discussion archived? Oh well, reading all that will be much better than Slashdot, and you'll probably outgrow posting here by then, too. :)

  16. Re:guest accounts by bribass · · Score: 3, Funny
    (ever typed 'Administartor'?)

    No, but I've typed 'Administraitor' before... :)