Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mail Server Flaw Opens MS Exchange to Spam

Posted by Cliff on from the close-those-guest-account dept.

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

12 of 487 comments (clear)

  1. This Just In... by E-Rock · · Score: 5, Insightful

    Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.

    Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.

  2. guest accounts by Pompatus · · Score: 4, Insightful

    "If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.

    Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.

    Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

    Was code red really just a tool for spammers?

    --

    ----
    Squirrel ... It's not just for breakfast anymore
    1. Re:guest accounts by ejaw5 · · Score: 4, Insightful

      What's worse about the guest account is that while it can be disabled, it cannot be removed.

      --

      $cat /dev/random > Sig
  3. Read the fine article. by Anonymous Coward · · Score: 5, Insightful
    Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.


    To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.


    Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "

    1. Re:Read the fine article. by NightSpots · · Score: 5, Insightful

      Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

      Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

      --

      --
      Use Vobbo for Video Blogs
    2. Re:Read the fine article. by julesh · · Score: 4, Insightful

      Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

      Yes. That the generally accepted argument behind the 'Windows has a lower TCO than Unix' argument (that Windows admins are generally cheaper than Unix admins) is utter bollocks if you actually want a secure system that won't get your mail rejected by approximately a quarter of the internet.

  4. Re:Actually not just MS by ldspartan · · Score: 5, Insightful

    Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?

    If thats not the case, well, what you're saying makes no sense.

  5. More FUD for the Linux Side by bluekanoodle · · Score: 4, Insightful
    This is a completely retarded article. This isn't a hole, it's a misconfigured mail server improperly secured after a virus infection.

    Here I thought /. was the source for fair and balanced coverage.

    Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.

  6. Re:Actually not just MS by Aardpig · · Score: 4, Insightful

    Turns out its actually a problem in SMTP's RFC

    Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

    --
    Tubal-Cain smokes the white owl.
  7. Second or Third time by DAldredge · · Score: 4, Insightful

    This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.

    But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.

  8. The Pseudo CNET FUD continues... by Anonymous Coward · · Score: 4, Insightful

    I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).

    I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).

    We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.

    My 2 cents...

  9. Re:Are you INSANE? by Cally · · Score: 5, Insightful
    > Find me a linux app that can parse sendmail logs and let me go through
    > and say "show me all of the messages sent through server x that were
    > to or from user y", and then print the results with "to", "from",
    > "subject", and delivery status?
    >

    *application*? You're joking, right? This is a shell one-liner ffs...


    $ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'

    - off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin) and it's available now, free of charge.


    You're welcome.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe