Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

Are you INSANE?

[CrankyFool]

What sort of IT group decides to run their Exchange environment unprotected on the internet?

I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.

The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.

Re:Read the fine article.

[bgog]

Furthur more, what if someone wants the guest account enabled. It states in the article. "... even if the login fails" Sound like a bug to me.

Guest Accounts

[Detritus]

Maybe because some of us still believe that computers are there to provide useful services to the community, which may be a university, corporation or other large organization.

Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".

In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.

In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.

If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.

security != lots of patches

[ahodgkinson]

Wait a minute. The problem only affects misconfigured servers? The article states that the problem affected servers infected by CodeRed that had been de-infected, presumably by service packs downloaded from Microsoft. To quote:

• ..Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled...

Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.

The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.

Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.

As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.