Slashdot Mirror
Mail Server Flaw Opens MS Exchange to Spam
bl8n8r writes: "
Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not.
There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.
Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.
Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.
Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Was code red really just a tool for spammers?
----
Squirrel
It's an issue. But Microsoft is saying it's not a big one.
Open realys are not a big problem? Right.
What Microsoft really means we are making money on it so it's not a problem shut up and go away and leave us alone.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Windows becomes more like *nix every day!
Windows would actually be a decent product if Microsoft could successfully copy the good unix stuff instead of doing perfect copies of it's flaws and flawed copies of the stuff that works.
To know that you know what you know, and that you do not know what you do not know, that is true wisdom. --Scooby Doo
To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.
Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "
Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?
If thats not the case, well, what you're saying makes no sense.
Here I thought /. was the source for fair and balanced coverage.
Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.
Turns out its actually a problem in SMTP's RFC
Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?
Tubal-Cain smokes the white owl.
I am 100% linux at work, but have the same problem as you, incompatible exchange server for evolution...
So, I have been using outlook with codeweaver's crossover office (http://codeweavers.com/site/products/cxoffice/), which you are no doubt aware of, but if you haven't tried it, it is awesome. While not perfect, it certainly beats the other options of getting exchange mail on a linux desktop (term serv/rdesktop, outlook web access, dual booting, etc), and the small amount of money (~$60) is well worth it, as much work goes right back into WINE.
Legal Disclaimer: I have no affiliation with codeweaver's other than being a very satisfied customer.
JWall: GUI client for IPTables
Buy a Mac! ;)
...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.
As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
You're using her as bait, Master!
This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.
But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.
Perhaps instead of spending a fortune to "innovate" a matrix knockoff (how original) they could spend some money on making secure software.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.
Also, The guest account is disabled by default.
Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
If your server has been compromised and you don't take adequate steps to clean it up after that there is the potential that it is still vulnerable.
Mmmm.. Donuts
The effect of articles like this is making true, realisitic criticism of MS security by Unix users look like the same kind of bullshit we see here.
Hmmm, nice editorial on Exchange, what should I use for a secure product - Sendmail?
/. people should know better than most that you can't retroactively flip a security bit and make past mistakes better, security is built into the product from the ground up. So why do you expect it from Microsoft?
And please stop quoting out of context, it was always said the focus on security was for new products. Exchange 5.5 is hardly a new product. Find a problem in Exchange 2003 and then you can complain.
Read reviews of shopping cart software
It might shock you but on my Linux boxes the superuser is not called 'root' either.
/etc/passwd, which is world-readable. How does this help you?
But the name is listed in
wtf are you talking about.. and why are you modded to 5?!
Why don't we have articles titled "servers with no passwords vulnerable to attack" -or- "servers with backdoors subject to further compromise"?
:-)
I just submitted these...stay tuned
Find me a linux app that can parse sendmail logs and let me go through and say "show me all of the messages sent through server x that were to or from user y", and then print the results with "to", "from", "subject", and delivery status?
/20 I have facing the internet, I've had one linux machine cracked in the last three years, and not a single windows machine - the exchange servers are inside the firewall, using linux/sendmail to forward incoming queries. The one linux crack was in fact my fault, my automated update installer malfunctioned on a failed RPM install, and openssh didn't get installed properly. Stupid problem, but it still led to the eventual crack.)
Find me a linux app that integrates with the most popular and widespread office suite in the world, that allows me to assign tasks, share calendars, keep track of documents/revisions, and has a zero learning curve for the entire office staff that's already standardized on an existing product?
The reality is, while MS isn't perfect, and they're certainly not the model of perfect security, they're acceptable because the products they produce are in fact superior in the ways that matter.
I can patch security holes, and I can mitigate risk with firewalls. I can't simply snap my fingers and add functionality to linux applications, and I can't even throw money at the problem to make it work. It's just not an option.
(For the record, of the
I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).
I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).
We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.
My 2 cents...
So, software that is years old is insecure. Not a big surprise. Install any Linux distro that is years old and you're going to find security holes as well.
Also, what software at Microsoft says it's secure? The only thing I can think of is MBSA and that pretty much just tells you if you have all patches installed. Notice how Exchange 2003 doesn't suffer from this problem. Also, it relies on a misconfigured server or a server that was previously infected from code red. This feature is off by default. IMHO, if your machine was infected from code red, it should have been re-installed.
Install an insecure CGI on your Apache server and watch what can happen.
Woo woo, big news...
-Shippy
This really suprises me, because in theory, one shouldn't need read-access to that file. I just tried to chmod 600 /etc/passwd and I had linux complain, there really should be a workaround to disable passwd from being readable, because it IS a security risk...
Not Free(as in beer). Free(as in "I'm free to beat you over the head for being a dumbass")
That is USELESS because the name of the guest account is totally irrelevant.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."
Um, excuse me? Any idiot with more than 7 days experience administering a Windows server should know that the Guest account is BAD BAD BAD.
By definition "Guest" doesn't require successful authentication to access resources. The entire reason "Guest" exists is to provide un-authenticated access to resources.
I can read bugtraq as well as anyone else, so I'm aware of the past history Microsoft has with the security of its products. However, no sane person could reasonably attribute this "flaw" to Microsoft software. A more apt description is "Flaw in MS Exchange 5.5 and 2000 Administrators".
I mean really. It's like setting a Windows Domain Administrator account password to "Administrator" or "password" (another major cause of Exchange-based spam. Grep USENET and MS KB's for UI).
No software yet written or ever to be written in the future can make up for mistakes, oversights and sometimes just plain stupidity of humans.
Janie took my gun...
> and say "show me all of the messages sent through server x that were
> to or from user y", and then print the results with "to", "from",
> "subject", and delivery status?
>
*application*? You're joking, right? This is a shell one-liner ffs...
$ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'
- off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin) and it's available now, free of charge.
You're welcome.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I hardly think an open Guest account is a security problem with Exchange server. It's more a competance problem with the server's administrator. A lot of systems have a Guest account - if it's enabled, Guest's will get in - that's what those accounts are for!
"The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers."
Are you smoking crack? Isn't it an administrators *JOB* to know how to do this?
And everyone wonders why IT departments are getting shipped overseas - people think they can be an administrator and not know how to do anything. If I'm going to hire a bunch of morons who don't know how to do anything, I may as well pay a Czech $3/hr instead of paying an American $30/hr or more. At least the Czech is damn happy to get that $3/hr and will give at least a little bit of work for it. All the American is going to do is sit there and bitch about how they don't get paid enough, and quite possibly Do Bad Things(TM) on purpose as a form of passive blackmail.... This happened to me once, which is why I fired all but three people in my IT department - formerly 35 - and outsourced it to Brno, Czech Republic. Since doing that, I'm paying 1/10th as much and getting 10x better service - even with all the administrative tasks being performed remotely.
How many resources, training, and time does an administrator need to figure out that guest accounts are BAD? And why do I have to go to foreign countries to get good administrators?
My final question is a looming one - at what point are the foreigners going to start acting like spoiled brat Americans and start bitching about not making any money.
It still surprises me to no end how many American IT workers still want to make $80k for doing essentially nothing except installing MS Patches. They're still living in 1998-1999 and won't wake up, I guess...
Service packs do not patch virus infected machines. The whole point of them is to patch any exploits on the machine BEFORE it gets infected.
Anyway, if you have a internet facing machine of any OS comprimised and dont wipe it and start again then your several kinds of idiot.
"My parents were strict, but they never pitted me against livestock" - Doug Stanhope
There are probably a dozen free mail servers that are smaller, simpler, faster, and more reliable. Servers that don't open you up to problem after problem caused by the insane complexity of the design.
The reason people keep coming up with is, you need Exchange to get the most out of Outlook.
Which has to be the silliest reason I can imagine, because if there's been a bigger security network security problem over the past half a decade than Outlook, I don't know what it is.
You might as well argue that without winter you really can't get the most out of homelessness. Without dirty needles, you can't get the most out of drug addiction. Without gang warfare, you can't get the most out of overcrowded inner cities.
HELLO, THIS IS THE CLUE FAIRY KNOCKING ON YOUR DOOR: don't use Outlook, don't use Exchange. Go ahead and use Windows if you must (and you pretty much have to, these days, I read it in the paper just the other day), but there's no reason you need to take bad smack just because it comes with the neighborhood. Almost all the mail servers and clients you might want to use have already been ported to Windows, no matter what OS they were originally written for.
This shouldn't be hard for people to wrap their heads around, but... somehow... people keep going back to the Microsoft connection and shooting up with dirty email software...