[windows_errors] [what_error_messages_really_mean_Win2kServer] POP3 SPAM exploit, E55 and E2K...
- From: "Scott Bickerton" <sbickerton@xxxxxxxxx>
- To: what_error_messages_really_mean_Win2kServer@xxxxxxxxxxxxxxx
- Date: Thu, 02 Oct 2003 03:17:57 -0000
Greetings all! Long time (once again!)...
All is well for us, still in the middle of AD upgrade and Exchange55
to E2k... I'll catch up with ya'll later, but I wanted to make
everyone aware of a potential SPAM relay situation (without
the "relay").
According to Microsoft technician, this started appearing about 3
weeks ago, and gaining speed every day. Before I begin, this is NOT
a vulberability for Microsoft, this is failure by a Administrator not
following Best Practices (No, the Admin wasn't me!)...
BACKGROUND:
We are currently running a mixed environment while we migrate from
E55 to E2K. 6 Exchange servers all pointing to a bridgehead for our
sole Internet Mail Connector (IMC).
This Sunday, our Bridgehead started getting clogged with outbound
messages, basically timing-out the SMTP service. The service
wouldn't stop, but would stall attempting to process 10's of
thousands of SPAM messages. We tried Telnet and rechecked all anti-
relay safeguards, everything was as it should be. Telnet would give
the "Relay Denied" message, so we felt something strange was
happening, just not sure what. Monday we ran the www.ordb.org test,
and again, we passed as "no open relay found".
We contacted Microsoft and immediately they asked if the emails stuck
in the queue were
from "bluestell<+random2charachters>@<randomedomain>.com"...
EXACTLY !
Apparently, one of our accounts was comprimised (local machine
Admin). Since we require POP3 access for our users, this protocol is
enabled but to only "Authenticated Users". Well guess what, the
spammers now have an Authenticated User. The spammers log in using
POP3, then send SPAM using SMTP... The accounts to watch out for
which (if not already) should either be disabled or have STRONG
passwords (heh, typical Best Practices stuff):
Administrator (local machine)
Guest (should be disabled)
Webmaster
This could be any user account, not just these... All they need to
do is be able to authenticate, then you will become a SPAMer...
Without the "relay" as we knew it...
In closing, for Pete's sake, do NOT place an Internet connected
computer on the Internet with a blank Administrator password...
Sheeze! We got lucky, this could have been much worse if an actual
hacker got on that box! This Admin is no longer with us, mainly for
doing "smart" stuff like this.
:-)
Feel free to cross-post to any appropriate groups...
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Upgrade to 128-Bit SSL Security!
http://us.click.yahoo.com/p7cEmB/s7qGAA/yigFAA/67folB/TM
---------------------------------------------------------------------~->
To unsubscribe from this group, send an email to:
what_error_messages_really_mean_Win2kServer-unsubscribe@xxxxxxxxxxxxxxx
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Other related posts:
- » [windows_errors] [what_error_messages_really_mean_Win2kServer] POP3 SPAM exploit, E55 and E2K...
