Hi, Scott: THX for this detailed heads-up. :-) jas --- In what_error_messages_really_mean_Win2kServer@xxxxxxxxxxxxxxx, "Scott Bickerton" <sbickerton@xxxx> wrote: > Greetings all! Long time (once again!)... > > All is well for us, still in the middle of AD upgrade and Exchange55 > to E2k... I'll catch up with ya'll later, but I wanted to make > everyone aware of a potential SPAM relay situation (without > the "relay"). > > According to Microsoft technician, this started appearing about 3 > weeks ago, and gaining speed every day. Before I begin, this is NOT > a vulberability for Microsoft, this is failure by a Administrator not > following Best Practices (No, the Admin wasn't me!)... > > BACKGROUND: > We are currently running a mixed environment while we migrate from > E55 to E2K. 6 Exchange servers all pointing to a bridgehead for our > sole Internet Mail Connector (IMC). > > This Sunday, our Bridgehead started getting clogged with outbound > messages, basically timing-out the SMTP service. The service > wouldn't stop, but would stall attempting to process 10's of > thousands of SPAM messages. We tried Telnet and rechecked all anti- > relay safeguards, everything was as it should be. Telnet would give > the "Relay Denied" message, so we felt something strange was > happening, just not sure what. Monday we ran the www.ordb.org test, > and again, we passed as "no open relay found". > > We contacted Microsoft and immediately they asked if the emails stuck > in the queue were > from "bluestell<+random2charachters>@<randomedomain>.com"... > EXACTLY ! > > Apparently, one of our accounts was comprimised (local machine > Admin). Since we require POP3 access for our users, this protocol is > enabled but to only "Authenticated Users". Well guess what, the > spammers now have an Authenticated User. The spammers log in using > POP3, then send SPAM using SMTP... The accounts to watch out for > which (if not already) should either be disabled or have STRONG > passwords (heh, typical Best Practices stuff): > > Administrator (local machine) > Guest (should be disabled) > Webmaster > > This could be any user account, not just these... All they need to > do is be able to authenticate, then you will become a SPAMer... > Without the "relay" as we knew it... > > In closing, for Pete's sake, do NOT place an Internet connected > computer on the Internet with a blank Administrator password... > Sheeze! We got lucky, this could have been much worse if an actual > hacker got on that box! This Admin is no longer with us, mainly for > doing "smart" stuff like this. > > :-) > > Feel free to cross-post to any appropriate groups... ------------------------ Yahoo! Groups Sponsor ---------------------~--> Rent DVDs from home. Over 14,500 titles. Free Shipping & No Late Fees. Try Netflix for FREE! http://us.click.yahoo.com/ArdFIC/hP.FAA/ySSFAA/67folB/TM ---------------------------------------------------------------------~-> To unsubscribe from this group, send an email to: what_error_messages_really_mean_Win2kServer-unsubscribe@xxxxxxxxxxxxxxx Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/