Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: MS Exchange Relay Authentication
From: Bocko, Andy (Andy.BockoADAM-US.COM)
Date: Thu Oct 02 2003 - 18:38:11 CDT
I've seen this on a few servers in various environments. In every case
the account that was cracked was the box's local administrator and:
1. The account was still named Administrator
2. The password was not complex
3. Administrator lockout was not enabled
4. The Administrator account is enabled (of course)
5. Basic authentication is enabled on the SMTP server
I used Netmon to capture traffic coming to a honeypot Ex2000 box on my
DMZ and I got tons of initiated SMTP sessions that attempt to
authenticate with .\Administrator followed by a random plain text
password. I have set simple passwords to test the attack and usually by
morning the next day I have queued up thousands of messages for
delivery. It's a little interesting that most of the attacks originate
from the same South Korea based ISP. Maybe that's just me.
On our production boxes we have implemented the following:
1. Administrator account is renamed and disabled.
2. We use a program to create a random complex password for the
3. Group Policy enables several account policies including Administrator
account lockout on all servers. (this may seem excessive since we
disable the account)
4. We create a second SMTP VS on the externally accessible servers that
only accepts anonymous connections on port 25 for inbound mail. The
existing 'default' VS is used for outbound mail and is re-assigned to an
IP address that isn't available to the Internet.
I hope that helps.
Chief Technology Officer
Allianz Dresdner Asset Management
U.S. Corporate Services
Fax (949) 640-5113
From: Hovermale, Jake [mailto:hovermalejBEINETWORKS.COM]
Sent: Thursday, September 25, 2003 2:59 PM
Subject: MS Exchange Relay Authentication
We've seen quite a few Exchange Servers recently being used as relays.
Relay restrictions are set to "allow all computers which successfully
authenticate to relay, regardless of the list above." We've removed this
option and added the appropriate servers to the granted computers list
and the problem goes away. Some remote users may need to reset their
email settings to use the local ISP's smtp server but that's how it
should be anyway.
We've seen tens of thousands of messages on average piled up in the
queues. Exchange 2000 handles it much better than 5.5. 5.5 seems to
crash the server more often than not. 2000 handles it but your Internet
browsing may not work too well. We've done some searching and have found
a few others with similar problems.
It seems that account passwords are being cracked. At that point the
spammer can successfully authenticate and voila, free relay server.
Removing the 'authenticate-relay-option' solves the relay problem but
not the fact that the passwords are so easily cracked. We've been
enabling the maximum setting on the MSExchangeTransport SMTP Protocol to
look for eventlog errors to track down the compromised accounts. We've
also suggested resetting all account passwords with stronger settings,
removing all unnecessary accounts, and patching the systems. All this is
the usual stuff but we've seen this on systems with all but the most up
to date patch set so we're not at all sure where vulnerability is or how
the passwords are being cracked.
Anyone have any insight?
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now,
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;