Mail Server Flaw Opens MS Exchange to Spam

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.

This Just In...

[E-Rock]

Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.

Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.

Read the fine article.

Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.

To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.

Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "

Re:Read the fine article.

[NightSpots]

Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

Re:Actually not just MS

[ldspartan]

Maybe you're confusing qmail with a poorly configured, non-DJB-endorsed SMTP AUTH layer?

If thats not the case, well, what you're saying makes no sense.

Re: indemnity?

[Black+Parrot]

> Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.

Yes, they agree to only charge you one license for the unauthorized use of 'guest', no matter how many spammers are actually using it.

They also agree to send someone to show your PHB some overdecorated ppt slides about how secure their software is, if incidents like this have him thinking about switching to another software supplier.

security != lots of patches

[ahodgkinson]

Wait a minute. The problem only affects misconfigured servers? The article states that the problem affected servers infected by CodeRed that had been de-infected, presumably by service packs downloaded from Microsoft. To quote:

• ..Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled...

Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.

The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.

Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.

As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.

Re:Are you INSANE?

[Cally]

> Find me a linux app that can parse sendmail logs and let me go through
> and say "show me all of the messages sent through server x that were
> to or from user y", and then print the results with "to", "from",
> "subject", and delivery status?
>

*application*? You're joking, right? This is a shell one-liner ffs...


$ grep logfile [serverIP] | grep userX | grep userY | awk '{$2 $4 $6 $8}'



- off the top of my head, and without sight of the logfile format, but that's roughly how you'd do it. And thanks to the power of the GPL, some nice people have actually written software to allow you to do this on Windows (namely, Cygwin) and it's available now, free of charge.

You're welcome.