RE: Relaying question
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Sun, 28 Sep 2003 09:50:46 -0500
Hi Chris,
How about creating a client address set for the addresses that are attacking
your server and then use that client address set is the "except" section of the
SMTP Server Publishing Rule on your ISA firewall?
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
________________________________________
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 12:25 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
According to Microsoft, my exchange is secure. We are not an open relay and in
theory we should have no worries. However, the type of relaying going on here
is malicious. It is a brute force attack on our user-base and not a simple IP
spoof. The relay options in system manager are to allow all relay traffic
except for the following. Then we have added the internal IP of our firewall as
the exception since it nats all traffic including SMTP. Therefore, if someone
wanted to relay, their email would appear to be from the internal NIC of the
firewall and would be stopped. However, the checkbox at the bottom of this same
screen says, "Allow all computers which successfully authenticate to relay,
regardless of the list above". Therefore, when they manage to get a
user/password that works, it doesn't matter where it comes from, they will get
relayed. What will happen if I uncheck this box? Will true internal users still
be able to relay? Will external relay be stopped using the smtp/Auth method?
These are the questions I cannot find answers to. Any help would be
appreciated. Thanks.
-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Friday, September 26, 2003 10:20 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
Have you considered having a look at the information on this subject at
www.microsoft.com/security ?
There are some articles that discuss how to secure your server that also talks
about the trade-offs that go with it. Although Tom's idea of fun is a little
skewed ;) you can hurt yourself if you make the changes without a full
understanding of what you are doing and what it's effects will be.
ajm
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 9:54 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
The problem is, I need to allow relay internally. I have various custom apps
that the users need to email a client upon completion of a workorder. They each
do over 500 a day and automation is the only way to do this effectively. So, if
I shut off the checkbox in question, will the internal IPs still be able to
relay?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 9:50 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
Hi Chris,
Yes. If you don't allow relay, then the server will not relay. You can also do
other things like prevent the machine from resolving Internet host names (just
for fun).
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 8:34 AM
To: [ExchangeList]
Subject: [exchangelist] Relaying question
http://www.MSExchange.org/
Per SpamCop and SpamHaus, "Spammers are taking advantage of weak passwords on
systems using smtp/auth and brute force finding name/password combinations that
work and then sending spam thru these servers. There are various characteristic
footprints for this and one of them is the use of a "from" address of the
format bluestallnn@some legit ISP and the "nn" iterates in each successive spam.
bluestelllf@xxxxxxx
bluestellpg@xxxxxxxxxxx
bluestelluf@xxxxxxxxx "
My question is this, if I uncheck "Allow all computers which successfully
authenticate to relay, regardless of the list above", will this effectively
stop brute force attacks on weak passwords as far as exchange is concerned and
what will this break?
I am also taking measure by blocking their entire block of IPs. The ranges are
as follows:
211.158.32.0/20
211.158.48.0/21
211.158.80.0/20
219.153.144.0/20
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
al.mulnick@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
