I am still confused too. I have not applied any of these scripts, and am not infected on the client side or the server side, yet I cant connect to the exchange server. I can not use OWA for my salesmen because they need access to their mail when they are not connected, and I cant use POP3 because we use a exchange enabled fax solution for them to send outgoing faxes while on the road, so we have to publish the exchange server. We had Dan Bartley tell us he was having the same problem: ________________________________________________________________________ _______________________________________________ Interestingly enough, I am having the exact same problem. It started after applying the Win2k3 version of the patch. Best Regards, Dan Bartley ________________________________________________________________________ _________________________________________________ So what is the deal? Tom, can you connect to Exchange through ISA from the internet since these MS fixes have come about? Is it because my exchange server is having to drop so much worm related traffic that my users time out trying? I am not the most versed on net mon traffic analysis and all. Is there a good site on the how to's of net mon techniques? Thanks Jeff Sloan Network Administrator Cross Oil Refining & Marketing, Inc. 484 E. 6th St. Smackover, AR 71762 Phone 870-864-8688 Fax 870-864-8689 Cell 870-866-9941 -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, August 14, 2003 11:35 AM To: ISALists Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org Hi Jim, OK, so its correct that the RPC filter *does* protect outbound. <sigh of relief> I understand re: LCD. I tried that approach. I disabled all my protocol and Site and Content Rules, but my mail got stuck in the queue. I had to enable them again to send this. :-) Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 11:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org That's the bad part; I have to assume the "least capable" when I write these scripts. There are many folks who choose not to use FP1 and all its kewl toys. ..for that matter, I think if you disable all outbound policies, then you'd never infect anyone with anything (except maybe the occasional cold). ;-) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 14, 2003 07:57 Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org Hi Jim, Hmmmm. I had the impression that if you created a outbound RPC Protocol Rule, that the updated RPC filter included in FP1 created a special RPC Protocol Definition that prevented the attack. Like the FTP filter's protocol definitions are tied to the FTP Access application filter, I thought the RPC Protocol Definition was tied to the RPC filter and therefore denuded the exploit. Now I'm getting really confused! Given the number of exploits carried out on TCP 80, TCP 25 and TCP 110, do you think I should shut those ports too? ;-) (www.tacteam.net/openport.htm) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 9:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org Yep.but if it's a choice between outbound RPC and litigation because you sourced an infection elsewhere, it's OWA time... Unfortunately, the RPC filter only acts on inbound RPC. <sigh> Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 14 Aug 2003 01:54:44 -0500 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim, One of the actions of the script blocks outbound access to TCP 135. Won't this disable outbound Exchange RPC? Since we have the RPC filter, why do that? Won't it whack the utility of outbound Exchange Server access? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 1:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] MS-Blast scripts http://www.ISAserver.org OK; I finally finished them: http://isatools.org/msblast.zip It contains two scripts: - block_msblast.vbs; this will prevent an internal infection from spreading outside your walls it likes all Enterprise variations and Standalone environments equally - fix_msblast.vbs; this will remove the little bugger and even validate your hotfix instalation (in the registry, anyway) .take a look at the logic for the blocker script; you'll understand why scripting rules for Enterprise environments can get so hairy. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')