RE: open relay on Exchange 2000
- From: "Julio Danoviz" <jedanoviz@xxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Wed, 4 Sep 2002 19:57:57 -0300
Yes, but an interesting issue is mail spoofing:
One of the vulnerabilities of the SMTP protocol is that it is possible to
attack closed relays... the only thing you have to do is send an email to a
fake email address, doing this the email will be sent back to the sender (that
could be anybody from any domain I wish!).
I could also include an attach... and the SMTP server would deliver this
information included in the NDR!
It's easy to see that I could generate a denial of service with this method
using the SMTP server's resources and also attacking if I desire the "sender".
Unless you disallow non-delivery reports and perform reverse DNS lookups on
incoming messages... but this has several disadvantages...
-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Miércoles, 04 de Septiembre de 2002 06:50 p.m.
To: [ExchangeList]
Subject: [exchangelist] RE: open relay on Exchange 2000
http://www.MSExchange.org/
They cannot just make up a username and password, it has to be a real
username and password.
Mark Fugatt
Pentech Office Solutions Inc
www.4mcts.com
www.exchangetrainer.com
Tel: 585 586 3890
Fax: 585 249 0316
Cell: 585 576 4750
Visit www.msexchange.org for valuable information about Microsoft Exchange
-----Original Message-----
From: maplesoft@xxxxxxxxxxxxx [mailto:maplesoft@xxxxxxxxxxxxx]
Sent: Wednesday, September 04, 2002 5:49 PM
To: [ExchangeList]
Subject: [exchangelist] open relay on Exchange 2000
http://www.MSExchange.org/
We have recently set up Exchange 2000. We wanted to make sure we did not
have
any open relays and followed the instructions given in Mark Fugatt's
article:
"Understanding Relaying and Spam with Exhange 2000."
Testing with the telnet session is successful, however, if a spammer really
wants to use our server, all they need to do is setup an Outlook Express
client with a bogus email address, tell OE to authenticate to our smtp
server
and provide a bogus username and password and the email will be relayed.
I do not know what we missed, but we must have missed something. If anyone
has any ideas, we would greatly appreciated them.
Thanks,
Scot
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mark@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
jedanoviz@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
