[windows_errors] [what_error_messages_really_mean_Win2kServer] Re: POP3 SPAM exploit, E55 and E2K...
- From: "jasmine1212jas" <jasmine1212jas@xxxxxxxxx>
- To: what_error_messages_really_mean_Win2kServer@xxxxxxxxxxxxxxx
- Date: Sun, 12 Oct 2003 13:34:04 -0000
Hi, Scott:
THX for this detailed heads-up.
:-)
jas
--- In
what_error_messages_really_mean_Win2kServer@xxxxxxxxxxxxxxx, "Scott
Bickerton" <sbickerton@xxxx> wrote:
> Greetings all! Long time (once again!)...
>
> All is well for us, still in the middle of AD upgrade and
Exchange55
> to E2k... I'll catch up with ya'll later, but I wanted to make
> everyone aware of a potential SPAM relay situation (without
> the "relay").
>
> According to Microsoft technician, this started appearing about 3
> weeks ago, and gaining speed every day. Before I begin, this is
NOT
> a vulberability for Microsoft, this is failure by a Administrator
not
> following Best Practices (No, the Admin wasn't me!)...
>
> BACKGROUND:
> We are currently running a mixed environment while we migrate from
> E55 to E2K. 6 Exchange servers all pointing to a bridgehead for
our
> sole Internet Mail Connector (IMC).
>
> This Sunday, our Bridgehead started getting clogged with outbound
> messages, basically timing-out the SMTP service. The service
> wouldn't stop, but would stall attempting to process 10's of
> thousands of SPAM messages. We tried Telnet and rechecked all anti-
> relay safeguards, everything was as it should be. Telnet would
give
> the "Relay Denied" message, so we felt something strange was
> happening, just not sure what. Monday we ran the www.ordb.org
test,
> and again, we passed as "no open relay found".
>
> We contacted Microsoft and immediately they asked if the emails
stuck
> in the queue were
> from "bluestell<+random2charachters>@<randomedomain>.com"...
> EXACTLY !
>
> Apparently, one of our accounts was comprimised (local machine
> Admin). Since we require POP3 access for our users, this protocol
is
> enabled but to only "Authenticated Users". Well guess what, the
> spammers now have an Authenticated User. The spammers log in using
> POP3, then send SPAM using SMTP... The accounts to watch out for
> which (if not already) should either be disabled or have STRONG
> passwords (heh, typical Best Practices stuff):
>
> Administrator (local machine)
> Guest (should be disabled)
> Webmaster
>
> This could be any user account, not just these... All they need to
> do is be able to authenticate, then you will become a SPAMer...
> Without the "relay" as we knew it...
>
> In closing, for Pete's sake, do NOT place an Internet connected
> computer on the Internet with a blank Administrator password...
> Sheeze! We got lucky, this could have been much worse if an actual
> hacker got on that box! This Admin is no longer with us, mainly
for
> doing "smart" stuff like this.
>
> :-)
>
> Feel free to cross-post to any appropriate groups...
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Rent DVDs from home.
Over 14,500 titles. Free Shipping
& No Late Fees. Try Netflix for FREE!
http://us.click.yahoo.com/ArdFIC/hP.FAA/ySSFAA/67folB/TM
---------------------------------------------------------------------~->
To unsubscribe from this group, send an email to:
what_error_messages_really_mean_Win2kServer-unsubscribe@xxxxxxxxxxxxxxx
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Other related posts:
- » [windows_errors] [what_error_messages_really_mean_Win2kServer] Re: POP3 SPAM exploit, E55 and E2K...
