Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

indemnity?

[bman08]

Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.

This Just In...

[E-Rock]

Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.

Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.

guest accounts

[Pompatus]

"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.

Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.

Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

Was code red really just a tool for spammers?

Re:guest accounts

[ejaw5]

What's worse about the guest account is that while it can be disabled, it cannot be removed.

Read the fine article.

Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.

To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.

Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "

Re:Read the fine article.

[NightSpots]

Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

Re:Read the fine article.

[julesh]

Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

Yes. That the generally accepted argument behind the 'Windows has a lower TCO than Unix' argument (that Windows admins are generally cheaper than Unix admins) is utter bollocks if you actually want a secure system that won't get your mail rejected by approximately a quarter of the internet.

Re:Actually not just MS

[ldspartan]

Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?

If thats not the case, well, what you're saying makes no sense.

More FUD for the Linux Side

[bluekanoodle]

This is a completely retarded article. This isn't a hole, it's a misconfigured mail server improperly secured after a virus infection.

Here I thought /. was the source for fair and balanced coverage.

Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.

Re:Actually not just MS

[Aardpig]

Turns out its actually a problem in SMTP's RFC

Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

Re:Finally, linux integration for me!

[TheZax]

I am 100% linux at work, but have the same problem as you, incompatible exchange server for evolution...

So, I have been using outlook with codeweaver's crossover office (http://codeweavers.com/site/products/cxoffice/), which you are no doubt aware of, but if you haven't tried it, it is awesome. While not perfect, it certainly beats the other options of getting exchange mail on a linux desktop (term serv/rdesktop, outlook web access, dual booting, etc), and the small amount of money (~$60) is well worth it, as much work goes right back into WINE.

Legal Disclaimer: I have no affiliation with codeweaver's other than being a very satisfied customer.

I've never had a problem...

[Robber+Baron]

...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.

As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.

Second or Third time

[DAldredge]

This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.

But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.

If you leave the guest account activated

[xQx]

This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.

Also, The guest account is disabled by default.

Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.

The Pseudo CNET FUD continues...

I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).

I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).

We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.

My 2 cents...

Re:Are you INSANE?

[Cally]

> Find me a linux app that can parse sendmail logs and let me go through
> and say "show me all of the messages sent through server x that were
> to or from user y", and then print the results with "to", "from",
> "subject", and delivery status?
>

*application*? You're joking, right? This is a shell one-liner ffs...


$ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'



- off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin) and it's available now, free of charge.

You're welcome.

Re:security != lots of patches

"The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers."

Are you smoking crack? Isn't it an administrators *JOB* to know how to do this?

And everyone wonders why IT departments are getting shipped overseas - people think they can be an administrator and not know how to do anything. If I'm going to hire a bunch of morons who don't know how to do anything, I may as well pay a Czech $3/hr instead of paying an American $30/hr or more. At least the Czech is damn happy to get that $3/hr and will give at least a little bit of work for it. All the American is going to do is sit there and bitch about how they don't get paid enough, and quite possibly Do Bad Things(TM) on purpose as a form of passive blackmail.... This happened to me once, which is why I fired all but three people in my IT department - formerly 35 - and outsourced it to Brno, Czech Republic. Since doing that, I'm paying 1/10th as much and getting 10x better service - even with all the administrative tasks being performed remotely.

How many resources, training, and time does an administrator need to figure out that guest accounts are BAD? And why do I have to go to foreign countries to get good administrators?

My final question is a looming one - at what point are the foreigners going to start acting like spoiled brat Americans and start bitching about not making any money.

It still surprises me to no end how many American IT workers still want to make $80k for doing essentially nothing except installing MS Patches. They're still living in 1998-1999 and won't wake up, I guess...