|
Home > Archive > IIS and SMTP > May 2004 > Spammers die!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Jason McClellan 2004-05-30, 11:53 am |
| I seem to be having a rather perplexing problem here.. starting this
morning, some spammers seem to be using my exchange 2003 server for open
relay.. fortunately the quantity is rather small, but still..
However, I have checked all the settings many times, everything seems to be
set right to prevent open relay, and the server passes open relay testing
from such places as abuse.net!
I can't figure out how these dirtbags are relaying. Everything looks set
right, and I pass all the relay tests. I have followed suggestions from
Q324958 and it does not appear to be an authenticated relay going on either.
I would REALLY appreciate ANY suggestions!
Thanks
Jason
| |
| Egbert Nierop \(MVP for IIS\) 2004-05-30, 11:53 am |
| "Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in message
news:%23l0n%23yOREHA.1548@TK2MSFTNGP10.phx.gbl...
> I seem to be having a rather perplexing problem here.. starting this
> morning, some spammers seem to be using my exchange 2003 server for open
> relay.. fortunately the quantity is rather small, but still..
You need to be sure, you are not looking at NDR's the server might reply a
spammer account that 'relaying was not possible'
--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm
> However, I have checked all the settings many times, everything seems to
be
> set right to prevent open relay, and the server passes open relay testing
> from such places as abuse.net!
>
> I can't figure out how these dirtbags are relaying. Everything looks set
> right, and I pass all the relay tests. I have followed suggestions from
> Q324958 and it does not appear to be an authenticated relay going on
either.
>
> I would REALLY appreciate ANY suggestions!
>
> Thanks
> Jason
>
>
| |
| Jason McClellan 2004-05-30, 11:53 am |
|
There seems to be a combination. Some are NDR's, but they are NDR's for
'unknown user' failures, and others are actual messages, with such subjects
as 'Enlarge your P*EN1S!' crap like that.
Also, I have filtering configured to reject receipients not in the
directory.
Is there some exploit that involves the guest account? I have disabled the
guest account, just for the hell of it, and the junk seems to be drying up..
Jason
"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> wrote in
message news:%23EENkfPREHA.2032@TK2MSFTNGP11.phx.gbl...
> "Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in message
> news:%23l0n%23yOREHA.1548@TK2MSFTNGP10.phx.gbl...
>
> You need to be sure, you are not looking at NDR's the server might reply a
> spammer account that 'relaying was not possible'
>
> --
> compatible web farm Session replacement for Asp and Asp.Net
> http://www.nieropwebconsult.nl/asp_session_manager.htm
>
>
> be
testing[vbcol=seagreen]
set[vbcol=seagreen]
> either.
>
| |
| Peter D. Hipson 2004-05-30, 11:53 am |
| Just as a matter for form, you should never enable the guest
account(s)! (for this very reason...)
On Fri, 28 May 2004 17:21:21 -0400, "Jason McClellan"
<jason_mcc@obsfucated.myrealbox.com> wrote:
>
>Is there some exploit that involves the guest account? I have disabled the
>guest account, just for the hell of it, and the junk seems to be drying up..
>
>Jason
PeterD, the Darkstar Network
To email, fix my address!
ExpertZone!
| |
| Jason McClellan 2004-05-30, 11:53 am |
|
Nice to know.. but the guest account was never an issue before having
installed Exchange.. is there a KB article on this or something?
"Peter D. Hipson" <mcn01 at hipson dot net> wrote in message
news:2ujfb0p35u87olkoaab22hsnpeorlhllvn@
4ax.com...
> Just as a matter for form, you should never enable the guest
> account(s)! (for this very reason...)
>
> On Fri, 28 May 2004 17:21:21 -0400, "Jason McClellan"
> <jason_mcc@obsfucated.myrealbox.com> wrote:
>
>
the[vbcol=seagreen]
up..[vbcol=seagreen]
>
> PeterD, the Darkstar Network
> To email, fix my address!
> ExpertZone!
| |
| Lanwench [MVP - Exchange] 2004-05-30, 11:53 am |
| If you left authenticated relay enabled, someone may be exploiting it.
Disable it if you don't need it.
See http://www.vamsoft.com/orf/authattack.asp
Jason McClellan wrote:
> I seem to be having a rather perplexing problem here.. starting this
> morning, some spammers seem to be using my exchange 2003 server for
> open relay.. fortunately the quantity is rather small, but still..
>
> However, I have checked all the settings many times, everything seems
> to be set right to prevent open relay, and the server passes open
> relay testing from such places as abuse.net!
>
> I can't figure out how these dirtbags are relaying. Everything looks
> set right, and I pass all the relay tests. I have followed
> suggestions from Q324958 and it does not appear to be an
> authenticated relay going on either.
>
> I would REALLY appreciate ANY suggestions!
>
> Thanks
> Jason
| |
| Ken Schaefer 2004-05-30, 11:53 am |
| The "guest" account requires no password to authenticate...
Someone can authenticate to your fileserver, or any other resource, without
having to supply a password. That's why the guest account is *disabled* on
all Windows server OSes. Only enable it if you have a specific reason to do
so, and you are aware of the consequences...
Cheers
Ken
"Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in message
news:%23KvfLgRREHA.2404@TK2MSFTNGP09.phx.gbl...
:
: Nice to know.. but the guest account was never an issue before having
: installed Exchange.. is there a KB article on this or something?
:
:
: "Peter D. Hipson" <mcn01 at hipson dot net> wrote in message
: news:2ujfb0p35u87olkoaab22hsnpeorlhllvn@
4ax.com...
: > Just as a matter for form, you should never enable the guest
: > account(s)! (for this very reason...)
: >
: > On Fri, 28 May 2004 17:21:21 -0400, "Jason McClellan"
: > <jason_mcc@obsfucated.myrealbox.com> wrote:
: >
: > >
: >
: > >Is there some exploit that involves the guest account? I have disabled
: the
: > >guest account, just for the hell of it, and the junk seems to be drying
: up..
: > >
: > >Jason
: >
: > PeterD, the Darkstar Network
: > To email, fix my address!
: > ExpertZone!
:
:
| |
| Jason McClellan 2004-05-30, 11:53 am |
|
Well I checked the security event log.. and it seems this is what was going
on! There are repeated Account Logon 680, Logon/Logoff 540, Privilege Use
576, and Logon/Logoff 538 events, on the Guest account, starting at 6:06am
and ending when I disabled the guest account.
What is surprising (in a strange sort of way) is that I installed Exchange 2
weeks ago, and it took the spammers (pronounced - "scum of the earth") this
long to exploit this! Also, once discovered, I'm somewhat surprised they
didn't inundate me with junk.. I have a 4000/1000 kbps internet connection,
but from the looks of my logs, my mail server only processed about 2500
messages over the whole day.. well, I know a typical business day sees about
400 messages coming in normally. I also know that I got about 1970 NDR's
from my exchange box for undeliverable spams, and I deleted at least 80 from
the queue.
We had guest enabled some time ago, and prior to Exchange, it wasn't an
issue.. it just didn't occur to me, but it makes complete sense of course..
I sure feel stupid! 
Thanks for everyone's suggestions!
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:udS1RiTREHA.3452@TK2MSFTNGP10.phx.gbl...
> The "guest" account requires no password to authenticate...
>
> Someone can authenticate to your fileserver, or any other resource,
without
> having to supply a password. That's why the guest account is *disabled* on
> all Windows server OSes. Only enable it if you have a specific reason to
do
> so, and you are aware of the consequences...
>
> Cheers
> Ken
>
> "Jason McClellan" <jason_mcc@obsfucated.myrealbox.com> wrote in message
> news:%23KvfLgRREHA.2404@TK2MSFTNGP09.phx.gbl...
> :
> : Nice to know.. but the guest account was never an issue before having
> : installed Exchange.. is there a KB article on this or something?
> :
> :
> : "Peter D. Hipson" <mcn01 at hipson dot net> wrote in message
> : news:2ujfb0p35u87olkoaab22hsnpeorlhllvn@
4ax.com...
> : > Just as a matter for form, you should never enable the guest
> : > account(s)! (for this very reason...)
> : >
> : > On Fri, 28 May 2004 17:21:21 -0400, "Jason McClellan"
> : > <jason_mcc@obsfucated.myrealbox.com> wrote:
> : >
> : > >
> : >
> : > >Is there some exploit that involves the guest account? I have
disabled
> : the
> : > >guest account, just for the hell of it, and the junk seems to be
drying
> : up..
> : > >
> : > >Jason
> : >
> : > PeterD, the Darkstar Network
> : > To email, fix my address!
> : > ExpertZone!
> :
> :
>
>
|
|
|
|
|