Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

This Just In...

[E-Rock]

Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.

Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.

guest accounts

[Pompatus]

"If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.

Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.

Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

Was code red really just a tool for spammers?

Re:guest accounts

[ejaw5]

What's worse about the guest account is that while it can be disabled, it cannot be removed.

Are you INSANE?

[CrankyFool]

What sort of IT group decides to run their Exchange environment unprotected on the internet?

I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.

The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.

Re:Are you INSANE?

[Cally]

> Find me a linux app that can parse sendmail logs and let me go through
> and say "show me all of the messages sent through server x that were
> to or from user y", and then print the results with "to", "from",
> "subject", and delivery status?
>

*application*? You're joking, right? This is a shell one-liner ffs...


$ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'



- off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin) and it's available now, free of charge.

You're welcome.

Read the fine article.

Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.

To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.

Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "

Re:Read the fine article.

[bgog]

I did read the article and am fully aware of it's implications. However... SHUT UP... I'm trying to get them to upgrade! :) SHHHH

Re:Read the fine article.

[bgog]

Furthur more, what if someone wants the guest account enabled. It states in the article. "... even if the login fails" Sound like a bug to me.

Re:Read the fine article.

[NightSpots]

Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

Re:Read the fine article.

[Da_Weasel]

Nope....try to refrain from commenting when you really have nothing of value to add. The Windows Guest account is equivlent to the anonymous login in most other system. These do not require a valid password, and generally anything or nothing can be entered. If there was a password that could fail then it would no longer be a Guest/Anonymous account now would it?! Don't take it personally though, I was just in a flaming mood, and your post smelled like gasoline...haha!

Re:Read the fine article.

[julesh]

Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

Yes. That the generally accepted argument behind the 'Windows has a lower TCO than Unix' argument (that Windows admins are generally cheaper than Unix admins) is utter bollocks if you actually want a secure system that won't get your mail rejected by approximately a quarter of the internet.

Re:Actually not just MS

[ldspartan]

Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?

If thats not the case, well, what you're saying makes no sense.

More FUD for the Linux Side

[bluekanoodle]

This is a completely retarded article. This isn't a hole, it's a misconfigured mail server improperly secured after a virus infection.

Here I thought /. was the source for fair and balanced coverage.

Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.

Re:More FUD for the Linux Side

Here I thought /. was the source for fair and balanced coverage.

You're new here, aren't you?

Re:Actually not just MS

[Aardpig]

Turns out its actually a problem in SMTP's RFC

Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

Second or Third time

[DAldredge]

This is either the second, third or forth time in the past 24 months that Microsoft has said the security is a top priority.

But, then again, this is the same company that testified under oath that reveling the Windows source code would harm the National Security of the US. Then they licensed the source code to China.

Simple problem, simple fix

[bigberk]

The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.

The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.

Re:Simple problem, simple fix

[doorbot.com]

The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.

This is 90% correct. It's important to understand the function of the "Guest" account in Windows. It allows any user, using any login name, and any password, to authenticate. Enabling the "Guest" account does not allow the username "Guest" to login specifically, it enables any username, which does not match an existing user in Active Directory or the local SAM to authenticate.

Clearly this is a security vulnerability, and why the Guest account ships in the disabled state. It would be very nice if Windows would warn you when you enabled it, and made an attempt to explain the implications of doing so.

With regards to attempts at guessing SMTP AUTH passwords, this has been happening lately. One caveat is that one a Linux box it can be difficult to enumerate the usernames, while on a Windows box (AD/NT/workstation) it is usually quite easy <insert obligatory firewall statement here>.

The Pseudo CNET FUD continues...

I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).

I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).

We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.

My 2 cents...

Re: indemnity?

[Black+Parrot]

> Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.

Yes, they agree to only charge you one license for the unauthorized use of 'guest', no matter how many spammers are actually using it.

They also agree to send someone to show your PHB some overdecorated ppt slides about how secure their software is, if incidents like this have him thinking about switching to another software supplier.

Re:Actually not just MS

[skinfitz]

Have you actually read RFC 821? If so, perhaps you could point out exactly where the functionality of the guest-level account is specified? Or are you just talking out of your arse?

It wouldn't be mentioned in that RFC as I believe that was written before any form of user authentication was part of SMTP. AUTH SMTP is described in RFC 2554 - SMTP Service Extension for Authentication however it doesn't mention anything about a "guest" account specifically, just "accounts".

Modern SMTP mail systems are based on a number of RFC's - 2234, 1869, 1891, 2119, 2222, 2476, 2195, 821, 822

Guest Accounts

[Detritus]

Maybe because some of us still believe that computers are there to provide useful services to the community, which may be a university, corporation or other large organization.

Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".

In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.

In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.

If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.

security != lots of patches

[ahodgkinson]

Wait a minute. The problem only affects misconfigured servers? The article states that the problem affected servers infected by CodeRed that had been de-infected, presumably by service packs downloaded from Microsoft. To quote:

• ..Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled...

Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.

The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.

Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.

As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.