Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

Finally, linux integration for me!

[bgog]

YES!!! More ammo to convice my IT department to upgrade exchange so I can connect the Ximian Evolution calendar to it. It's the last hurtle between me and 100% linux on the desktop at work.

Re:Finally, linux integration for me!

[bgog]

Good point. Depending on the size of the company, IT departments tend to get a little agitated when you don't use the approved OS. I used to work for Intel developing Linux kernel modules. At first they refused to allow us to install linux on our boxes. (uhhh ok, they how do we do the job?) Then they wouldn't give us root access to the linux installation on our development machines. (or root equiv) Hard to develop kernel mods without root access. Oddly enough there were others in our group who had trouble getting administrator accounts on their NT boxes so they could develop windows drivers. Luckily i've only experienced this behavior in rather large companies. :)

Ensure

Ensure? Insure? Do both work now? Apparently dictionary.com says so.

Are you INSANE?

[CrankyFool]

What sort of IT group decides to run their Exchange environment unprotected on the internet?

I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.

The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.

Re:Read the fine article.

[bgog]

Furthur more, what if someone wants the guest account enabled. It states in the article. "... even if the login fails" Sound like a bug to me.

Re:Will probably do better for MS advocacy

[PugMajere]

In Linux/Unix/BSD, you can preemptively defend against unknown flaws.

That's not possible w/Windows.

(For example, chroot jails to limit exposure, etc.)

information systems manager?

[anno1602]

Oh pretty, pretty please... What happened to sysadmin?

Guest Accounts

[Detritus]

Maybe because some of us still believe that computers are there to provide useful services to the community, which may be a university, corporation or other large organization.

Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".

In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.

In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.

If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.

Re:guest accounts

[kinkie]

Just for the same reason why my brand new Linux box has a "nobody" account. Which, admittedly, cannot log on.

Having an user with no privileges whatsoever (at least in theory) is a very handy convenience.

security != lots of patches

[ahodgkinson]

Wait a minute. The problem only affects misconfigured servers? The article states that the problem affected servers infected by CodeRed that had been de-infected, presumably by service packs downloaded from Microsoft. To quote:

• ..Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled...

Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.

The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.

Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.

As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.

Re:guest accounts

[MarcQuadra]

I don't know if it's worth anything, but I always rename the default accounts on any windows box that's connected to the 'net. I rename Administrator to 'root' and guest to 'nobody' and other such nonsense. One would think that it would at least stop a great many 'brute-force' scripted login attempts against windows machines. It's also more convenient for me as a Linux Guy to have 'root' login (ever typed 'Administartor'?)

Re:Read the fine article.

[Spoing]

I did read the article and am fully aware of it's implications. However... SHUT UP... I'm trying to get them to upgrade! :) SHHHH

No kidding. As a former Exchange admin, POP/SMTP/... support -- or at a bare minimum an upgrade to Exchange 2000 -- is exactly what I do want so I can stop using that damn Outlook Web Access (OWA).

I've asked multiple times if they have plans for any upgrade -- I've sent links to alternatives, asked if Exchange 2000 was planned -- and get no response from corporate except "only the Outlook desktop client is supported". (Exchange 2000 is supported by Ximian's plugin, though Exchange 5.x is not.)

I want to use Evolution where all my other mail is, and not muck around with file format converters and OWA is a real weak client app.

The workarounds -- file converters and exporters -- only help with scraping out what is on the servers and don't help with making it dynamic.

Even using Outlook under Wine -- something I've not tried -- would still be second rate. No vFolders; why bother? It's such a pain to drag and drop mail between folders and filters only move, delete, or duplicate -- causing a long term mess.

Keep Exchange behind a SMTP proxy

[programmingart]

That's what I do. Only thing the spammers see is a ASTARO Security Linux. Which for the 12 person remote office, was the best purchase we ever made. I don't really worry to much about Exchange vulns. Especially since the last patch killed the Exchange server, and I had to come up off backups. For a network admin with better things to do, Astaro Security Linux is great. When my larger network at a very renown hospital system was dealing with viruses and everything else, the remote office didn't see a single infection, even though they connect to the larger network. Thank you Astaro.

Re:Second or Third time

[gl4ss]

not fixed, they provided a new product for the market. a fatal flaw in a car gets 'fixed' by the manufacturer, ms way of dealing with such flaws is to sell a new product, instead of making the old product what they advertised it to be.

besides, ms argues that anybody can be an administrator. they can't argue that and say that security is their top priority(or, they can, but they'll be bullshitting in one way or another).

also they provided a tool that was supposed to check if you were compromised, yet it didn't(so even competent admins could have fallen for it IF they trusted ms, and if you don't trust the guys that provide you a properiaty os, who the hell are you going to trust?).

Re:guest accounts

[fdiskne1]

I rename the administrator account for my net-facing servers to some nearly random series of characters that no one could guess, but I know and also have hidden away, just in case. I rename the "Guest" account to "Administrator", disable it, expressly deny logon rights and expressly deny NTFS permissions to the root of the C: drive. Should take care of anyone attempting to log on as "Administrator" AND "Guest".