Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

Simple problem, simple fix

[bigberk]

The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.

The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.

Re:Simple problem, simple fix

[doorbot.com]

The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.

This is 90% correct. It's important to understand the function of the "Guest" account in Windows. It allows any user, using any login name, and any password, to authenticate. Enabling the "Guest" account does not allow the username "Guest" to login specifically, it enables any username, which does not match an existing user in Active Directory or the local SAM to authenticate.

Clearly this is a security vulnerability, and why the Guest account ships in the disabled state. It would be very nice if Windows would warn you when you enabled it, and made an attempt to explain the implications of doing so.

With regards to attempts at guessing SMTP AUTH passwords, this has been happening lately. One caveat is that one a Linux box it can be difficult to enumerate the usernames, while on a Windows box (AD/NT/workstation) it is usually quite easy <insert obligatory firewall statement here>.

Re:Read the fine article.

[Da_Weasel]

Nope....try to refrain from commenting when you really have nothing of value to add. The Windows Guest account is equivlent to the anonymous login in most other system. These do not require a valid password, and generally anything or nothing can be entered. If there was a password that could fail then it would no longer be a Guest/Anonymous account now would it?! Don't take it personally though, I was just in a flaming mood, and your post smelled like gasoline...haha!

Re:Actually not just MS

[skinfitz]

Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication however it doesn't mention anything about a "guest" account specifically, just "accounts".

Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822