Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mail Server Flaw Opens MS Exchange to Spam

Posted by Cliff on from the close-those-guest-account dept.

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

8 of 487 comments (clear)

  1. Three words... by allan_q · · Score: 3, Informative

    Turn off Guest!

  2. Issue with 5.5 not with 2000 by mattyohe · · Score: 3, Informative

    this issue was never really resolved for exchange 5.5.. but it is simply resolved in 2000 which is detailed here

    If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.

    --
    - what is the definition of simultanagnosia?! I've been meaning to look it up!
  3. Simple problem, simple fix by bigberk · · Score: 4, Informative

    The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.

    The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.

    1. Re:Simple problem, simple fix by doorbot.com · · Score: 4, Informative

      The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.

      This is 90% correct. It's important to understand the function of the "Guest" account in Windows. It allows any user, using any login name, and any password, to authenticate. Enabling the "Guest" account does not allow the username "Guest" to login specifically, it enables any username, which does not match an existing user in Active Directory or the local SAM to authenticate.

      Clearly this is a security vulnerability, and why the Guest account ships in the disabled state. It would be very nice if Windows would warn you when you enabled it, and made an attempt to explain the implications of doing so.

      With regards to attempts at guessing SMTP AUTH passwords, this has been happening lately. One caveat is that one a Linux box it can be difficult to enumerate the usernames, while on a Windows box (AD/NT/workstation) it is usually quite easy <insert obligatory firewall statement here>.

  4. Re:Guest account by sigxcpu · · Score: 3, Informative

    you are right, but:
    1. you have to login to the machine to read /etc/passwd - a dictionary attack is much harder if you have to guess both the passowrd and the username.
    2. the standard root-kits just assume it's called root.

    --
    As of Postgres v6.2, time travel is no longer supported.
  5. Re:Read the fine article. by Da_Weasel · · Score: 4, Informative

    Nope....try to refrain from commenting when you really have nothing of value to add. The Windows Guest account is equivlent to the anonymous login in most other system. These do not require a valid password, and generally anything or nothing can be entered. If there was a password that could fail then it would no longer be a Guest/Anonymous account now would it?! Don't take it personally though, I was just in a flaming mood, and your post smelled like gasoline...haha!

    --
    If you must!
  6. Turn off SMTP AUTH by csk_1975 · · Score: 3, Informative

    This is an SMTP AUTH problem and any mail server which permits relaying using SMTP AUTH and doesn't filter by source IP is open to this type of abuse. Exchange is more susceptible to this attack than other mail servers because there are predictable account names which can be brute forced and SMTP AUTH is enabled by default. It is simple to turn this off.

    What is the big deal?

    It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."

  7. Re:Actually not just MS by skinfitz · · Score: 4, Informative

    Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

    It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication however it doesn't mention anything about a "guest" account specifically, just "accounts".

    Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822