RE: Relaying Problem question - still fighting it!

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 30 Sep 2003 11:07:04 -0700

Have you tried reviewing the logs to see how the relaying is being done?
(Example, using a user account for authentication.) If you can pinpoint
which account has been compromised, you can change that password.


This is also a good time to review a password policy.


As far as the domain admin accounts, It is mine and others opinions that the
default admin accounts should never be used for logging on normally.


Here is my policy that I force most of my clients to use:


1. Administrator accounts have 15 character alpha/numeric/special/caps
non-expiring passwords. No one is allowed to use these accounts.

2. Special accounts are setup for specific purposes. Example, exadmin,
sqladmin, backuponly, installer, appadmin and so forth. These are given
either 10 or 15 character non-expiring passwords. No one is allowed to use
these accounts unless they have to log onto the appropriate server to
administer that function.

3. Users needing administrative functions must have passwords at least 10
characters using alpha/numeric/special/caps.

4. Normal users must have passwords that must be changed every 45 days.


Of course, there are always exceptions bassed on circumstances.


John Tolmachoff MCSE CSSA


eServices For You


-----Original Message-----
From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] 
Sent: Tuesday, September 30, 2003 10:32 AM
To: [ExchangeList]
Subject: [exchangelist] Relaying Problem question - still fighting it!



Our server has been compromised by an outside session using an internal
name/password, and our E2K server queues keep on filling up. I have had up
to 400 queues created over night and some of the queues can have well over
600 messages each waiting to be sent (I have frozen most of my queues as a
precaution). These relays are being set up after we are closed. 


I am curious to see if anyone can answer the question of who would have the
rights to create a remote session to relay? Does it have to be an admin
account or can it be a standard user? 

I have eliminated the Fire Wall by placing it on the restrictions for the
SMTP. and have unchecked the allow all to relay. So I am stumped as to how
they are still being able to set up the relaying. My next plan is a forced
network wide password change, after that...... I have to come up with a
"Plan C". 


I am having the problem of trying to convince the powers that be, that all
user accounts need to have their passwords changed in order to eliminate
this hack. I am also recommending that our Domain Admin accounts be made
into guest accounts and new Domain Admin accounts be created. Does anyone
have any other suggestions and or reading that I could do. So far I have
found very little on this type of attack.


Thanks for your help!




List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe send a blank email to

Other related posts: