Greetings all! Long time (once again!)... All is well for us, still in the middle of AD upgrade and Exchange55 to E2k... I'll catch up with ya'll later, but I wanted to make everyone aware of a potential SPAM relay situation (without the "relay"). According to Microsoft technician, this started appearing about 3 weeks ago, and gaining speed every day. Before I begin, this is NOT a vulberability for Microsoft, this is failure by a Administrator not following Best Practices (No, the Admin wasn't me!)... BACKGROUND: We are currently running a mixed environment while we migrate from E55 to E2K. 6 Exchange servers all pointing to a bridgehead for our sole Internet Mail Connector (IMC). This Sunday, our Bridgehead started getting clogged with outbound messages, basically timing-out the SMTP service. The service wouldn't stop, but would stall attempting to process 10's of thousands of SPAM messages. We tried Telnet and rechecked all anti- relay safeguards, everything was as it should be. Telnet would give the "Relay Denied" message, so we felt something strange was happening, just not sure what. Monday we ran the www.ordb.org test, and again, we passed as "no open relay found". We contacted Microsoft and immediately they asked if the emails stuck in the queue were from "bluestell<+random2charachters>@<randomedomain>.com"... EXACTLY ! Apparently, one of our accounts was comprimised (local machine Admin). Since we require POP3 access for our users, this protocol is enabled but to only "Authenticated Users". Well guess what, the spammers now have an Authenticated User. The spammers log in using POP3, then send SPAM using SMTP... The accounts to watch out for which (if not already) should either be disabled or have STRONG passwords (heh, typical Best Practices stuff): Administrator (local machine) Guest (should be disabled) Webmaster This could be any user account, not just these... All they need to do is be able to authenticate, then you will become a SPAMer... Without the "relay" as we knew it... In closing, for Pete's sake, do NOT place an Internet connected computer on the Internet with a blank Administrator password... Sheeze! We got lucky, this could have been much worse if an actual hacker got on that box! This Admin is no longer with us, mainly for doing "smart" stuff like this. :-) Feel free to cross-post to any appropriate groups... ------------------------ Yahoo! Groups Sponsor ---------------------~--> Upgrade to 128-Bit SSL Security! http://us.click.yahoo.com/p7cEmB/s7qGAA/yigFAA/67folB/TM ---------------------------------------------------------------------~-> To unsubscribe from this group, send an email to: what_error_messages_really_mean_Win2kServer-unsubscribe@xxxxxxxxxxxxxxx Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/