RE: Relaying question

  • From: "Allen, Chris" <CAllen@xxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 26 Sep 2003 13:25:14 -0400

According to Microsoft, my exchange is secure. We are not an open relay
and in theory we should have no worries. However, the type of relaying
going on here is malicious. It is a brute force attack on our user-base
and not a simple IP spoof. The relay options in system manager are to
allow all relay traffic except for the following. Then we have added the
internal IP of our firewall as the exception since it nats all traffic
including SMTP. Therefore, if someone wanted to relay, their email would
appear to be from the internal NIC of the firewall and would be stopped.
However, the checkbox at the bottom of this same screen says, "Allow all
computers which successfully authenticate to relay, regardless of the
list above". Therefore, when they manage to get a user/password that
works, it doesn't matter where it comes from, they will get relayed.
What will happen if I uncheck this box? Will true internal users still
be able to relay? Will external relay be stopped using the smtp/Auth
method? These are the questions I cannot find answers to. Any help would
be appreciated. Thanks.

 

-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Friday, September 26, 2003 10:20 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question

 

http://www.MSExchange.org/

Have you considered having a look at the information on this subject at
www.microsoft.com/security ?

 

There are some articles that discuss how to secure your server that also
talks about the trade-offs that go with it.  Although Tom's idea of fun
is a little skewed ;) you can hurt yourself if you make the changes
without a full understanding of what you are doing and what it's effects
will be.  

 

 

ajm

        -----Original Message-----
        From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
        Sent: Friday, September 26, 2003 9:54 AM
        To: [ExchangeList]
        Subject: [exchangelist] RE: Relaying question

        http://www.MSExchange.org/

        The problem is, I need to allow relay internally. I have various
custom apps that the users need to email a client upon completion of a
workorder. They each do over 500 a day and automation is the only way to
do this effectively. So, if I shut off the checkbox in question, will
the internal IPs still be able to relay?

         

        -----Original Message-----
        From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
        Sent: Friday, September 26, 2003 9:50 AM
        To: [ExchangeList]
        Subject: [exchangelist] RE: Relaying question

         

        http://www.MSExchange.org/

        Hi Chris,

         

        Yes. If you don't allow relay, then the server will not relay.
You can also do other things like prevent the machine from resolving
Internet host names (just for fun).

         

        HTH,

        Tom

         

        Thomas W Shinder

        www.isaserver.org/shinder <http://www.isaserver.org/shinder>  

        ISA Server and Beyond: http://tinyurl.com/1jq1

        Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp> 

         

                -----Original Message-----
                From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
                Sent: Friday, September 26, 2003 8:34 AM
                To: [ExchangeList]
                Subject: [exchangelist] Relaying question

                http://www.MSExchange.org/

                 

                Per SpamCop and SpamHaus, "Spammers are taking advantage
of weak passwords on systems using smtp/auth and brute force finding
name/password combinations that work and then sending spam thru these
servers. There are various characteristic footprints for this and one of
them is the use of a "from" address of the format bluestallnn@some legit
ISP and the "nn" iterates in each successive spam.

                 

                bluestelllf@xxxxxxx

                bluestellpg@xxxxxxxxxxx

                bluestelluf@xxxxxxxxx "

                 

                My question is this, if I uncheck "Allow all computers
which successfully authenticate to relay, regardless of the list above",
will this effectively stop brute force attacks on weak passwords as far
as exchange is concerned and what will this break?

                 

                I am also taking measure by blocking their entire block
of IPs. The ranges are as follows:

                 

                211.158.32.0/20

                211.158.48.0/21

                211.158.80.0/20

                219.153.144.0/20

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion
List as: callen@xxxxxxxxxxxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub') 

        ------------------------------------------------------
        List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
        Exchange Newsletters:
http://www.msexchange.org/pages/newsletter.asp
        Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Other Internet Software Marketing Sites:
        Leading Network Software Directory: http://www.serverfiles.com
        No.1 ISA Server Resource Site: http://www.isaserver.org
        Windows Security Resource Site: http://www.windowsecurity.com/
        Network Security Library: http://www.secinf.net/
        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
        ------------------------------------------------------
        You are currently subscribed to this MSExchange.org Discussion
List as: al.mulnick@xxxxxxxxxx
        To unsubscribe send a blank email to
$subst('Email.Unsub') 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts: